Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Spammers Hijacking IP Space

kdawson posted more than 6 years ago | from the open-and-shut-case dept.

Spam 233

Ron Guilmette writes "As reported in the Washington Post's Security Fix blog, a substantial hunk of IP address space has apparently been taken over by notorious mass e-mailing company Media Breakaway, LLC, formerly known as OptInRealBig, via means that are at best questionable. The block in question is 134.17.0.0/16, which I documented in depth in an independent investigation. (Apparently, the President of Media Breakaway has now admitted to the Washington Post that his company has been occupying and using the 134.17.0.0/16 block and that front company JKS Media, which provides routing to the block, is actually owned by Media Breakaway.) Remarkably, the president of Media Breakaway, who happens to be an attorney, is trying to defend his company's apparent snatching of this block based upon his own rather novel legal theory that ARIN doesn't have jurisdiction over any IP address space that was handed out before ARIN was formed, in 1997."

cancel ×

233 comments

Sorry! There are no comments related to the filter you selected.

I say we dust off and nuke the site from orbit (3, Funny)

$RANDOMLUSER (804576) | more than 6 years ago | (#23246742)

It's the only way to be sure...

Even better. 134.17.0.0/16 /dev/null (1)

Gary W. Longsine (124661) | more than 6 years ago | (#23247054)

This is almost as good as asking spammers to Set the Evil Bit, so we can filter them out. If all the spammers sign on for address space in this block, we can just route that block to /dev/null and be done with it. ;-)

Re:Even better. 134.17.0.0/16 /dev/null (1)

just_another_sean (919159) | more than 6 years ago | (#23247258)

This is almost as good as asking spammers to Set the Evil Bit, so we can filter them out. If all the spammers sign on for address space in this block, we can just route that block to /dev/null and be done with it. ;-)
Maybe. This would stop the questionable spammers. The ones that send the "opt in" crap that a lot of people fall for on web forms. Heck, some of them even want email like this.

Somehow I doubt the V14gr4 and P3n15 Enlargmenttt! stuff will go away by filtering these IPs. I may be wrong, but somehow I don't think your average zombie is routing through this space.

If only we could... (2, Funny)

Fluffeh (1273756) | more than 6 years ago | (#23246744)

Form an agry mob, arm ourselves with pitchforks and flaming brands, and the chase those rascals way out to the outskirts of town.

Hell, if there was any trouble, we could even transform into an angry lynch mob - THEN lets see who owns that space eh? EH? Whaddya say?

Wouldn't it be nice... (3, Insightful)

dreamchaser (49529) | more than 6 years ago | (#23246764)

...if everyone just blocked that IP range entirely at their routers, shutting off their connectivity?

There was a time when the Internet was a 'small' enough place that it would have even been feasible. Kind of like blacklisting a Usenet server for spam.

Re:Wouldn't it be nice... (3, Insightful)

Fluffeh (1273756) | more than 6 years ago | (#23246802)

Only problem with that approach is that you are therefore in fact giving them that IP space by lack of a fight.

That would then lead to another group "claiming" another spot of space, and so on and so forth - until there was no legitimate or unused space left at all - then you would have to fight the same fight with many many people rather than one spamming company as we have now.

Re:Wouldn't it be nice... (1)

Ethan Allison (904983) | more than 6 years ago | (#23247200)

So what? There's enough internet to go around – do we really need any of the stuff that ARIN doesn't have control over?

Re:Wouldn't it be nice... (1)

Kadin2048 (468275) | more than 6 years ago | (#23247680)

> So what? There's enough internet to go around â" do we really need any of the stuff that ARIN doesn't have control over?

Huh? There certainly isn't enough "internet", if that includes IPv4 address space. We definitely don't have enough space if every jackass in the universe runs out and squats in the first /16 they decide to use.

Re:Wouldn't it be nice... (1)

rbanffy (584143) | more than 6 years ago | (#23247444)

No. By isolating them we will make them non-viable and, when they die, we will reclaim the block.

For now, I have blocked it in my firewalls.

Re:Wouldn't it be nice... (3, Insightful)

Metasquares (555685) | more than 6 years ago | (#23247742)

How will everyone know when the block is reclaimed? You'll end up with an entire /16 that no one can use because everyone is still blocking it.

Re:Wouldn't it be nice... (0)

Anonymous Coward | more than 6 years ago | (#23247016)

I've already done just that, permitting specific countries to connect to my domains but firewalling off other countries/IP addresses so they cannot connect to any port, notably SMTP, which had the nice side effect of dramatically cutting back on spam processing (it also prevents the problem outlined by the article too). Sadly, the iptables geomind extension isn't really maintained so I wound up using OpenBSD's pf firewall. It's currently at ~93000 lines, each line representing a netblock for the countries that I care about, and the performance impact is very low (use pf tables which makes all the difference). Then you have lines like (I use ISO 2 character country codes)

pass in quick on $ext_if from to any

Re:Wouldn't it be nice... (1)

LostCluster (625375) | more than 6 years ago | (#23247100)

You're forgetting that this "claimed" IP space has a legit owner who might want to use it someday. It'd be an internet turf war of people were simply able to advertise the availability of a network they don't own.

Re:Wouldn't it be nice... (1)

John Hasler (414242) | more than 6 years ago | (#23247298)

> You're forgetting that this "claimed" IP space has a legit owner who might want to use
> it someday.

So why isn't SF Bay Packet Radio taking any action?

> It'd be an internet turf war of people were simply able to advertise the availability of
> a network they don't own.

Isn't that what is happening here?

Re:Wouldn't it be nice... (1)

varmittang (849469) | more than 6 years ago | (#23247124)

Doesn't he need access to the back bone to make this even work? Hell, I could grab all the IP addresses of the Internet and put it in a router but it would only work in my own little world here in my house. So, does he control a back bone node that he can redirect traffic to make this work? And if the AT&T's of the world black list his set of router mac addresses then it should exclude him from getting any traffic or his ability to send any traffic, right?

Re:Wouldn't it be nice... (1)

TooMuchToDo (882796) | more than 6 years ago | (#23247352)

You don't need to control a backbone to announce an AS number and a chunk of address space.

Re:Wouldn't it be nice... (1)

Cramer (69040) | more than 6 years ago | (#23247942)

You do for it to actually work. Every ISP I've worked for or dealt with in the last 10 tens implements AS AND prefix filters. You can only announce the address space you actually own or that of your customers -- with written authorization from said customers.

Looks more like honest ISPs should terminate all peering with Cogent and anyone else seen announcing 134.17/16. Having had part of my network stolen over a decade ago ('95-96), you do not want people like this on the internet. (in our case it was claimed to be a typo, but it still took the entire ISP off the net for over a day.)

Re:Wouldn't it be nice... (1)

TooMuchToDo (882796) | more than 6 years ago | (#23248024)

I've worked with several large IP transit providers who don't always filter prefixes properly, either due to technical or bureaucratic reasons. Simply look at the problem YouTube ran into when a Pakistan ISP tried to blackhole YouTube only in Pakistan, but due to prefixes not being filtered properly, their announcement propagated out to the net.

While I'm glad you've been able to work with organizations that filter prefixes properly, it doesn't always work out the way you've experienced.

Re:Wouldn't it be nice... (1)

Kadin2048 (468275) | more than 6 years ago | (#23247776)

From what I can tell the scheme is a little more involved than that.

The spammers set up a front corporation in Nevada with a name that's basically identical to the now-defunct Ham radio club that got the block back in 1989. Then they just took control of it using that name; to a casual observer -- and apparently ARIN didn't bother to look too closely -- they looked like the legitimate owner. It's basically a social engineering exploit.

And because of the way the ARIN's rules are set up, they don't pay anything in fees because it's a "grandfathered" block. Not bad if you can get it.

Then, they set up a second shell corporation (JKS Media) to announce the routes -- probably because any halfway-legitimate ISP would have caught on to the fact that they really weren't a San Francisco-based Amateur Radio club. This second shell corp obtained an AS number and advertised all the routes to the hijacked IP range, and on paper looked like a separate company. But it's pretty clear on closer inspection that it's just a front for the spammers.

More information here:
http://www.47-usc-230c2.org/chapter2.html [47-usc-230c2.org]

Re:Wouldn't it be nice... (1)

PalmKiller (174161) | more than 6 years ago | (#23247804)

I just did...thanks for their /16, its blocked so let them enjoy

SImple, blackhole the IP space (1)

jmorris42 (1458) | more than 6 years ago | (#23246790)

This one is simple. Everyone just blackholes the IP range and game over. Better if the backbones drop the route. Best if we all drop the IP space of whoever is directly connecting to a known spam network.

Re:SImple, blackhole the IP space (4, Interesting)

dave.josephsen (1087529) | more than 6 years ago | (#23247074)

It really isn't that simple. I'd refer you to my own work (http://www.usenix.org/media/events/lisa07/tech/videos/josephsen.mp4, and http://media.defcon.org/dc-15/video/Defcon15-Dave_Josephsen-Homeless_Vikings.mp4 [defcon.org] ) or that of Nick Feamster at Georgia tech. They've been hijacking address space via short-lived BGP prefix hijacks for at least 5 years now, and It is exactly the attitude of "we'll just block X" that got us here in the first place. If you use RBL's and make the arms race about IP's , then the most direct response is to attack the network layer and/or IP space. Further there are real world reasons why IP filters just aren't going to work on a global scale. For that I'd refer you to the work of Mohit Lad at UCLA. There is an economic layer on top of BGP. The effect of no-valley routing is that you're going to get route propagation from folks you think you can trust but cannot. It's a bit much to get into here, but off-handedly blacklisting more shit isn't the answer here, it's the problem.

Re:SImple, blackhole the IP space (0)

Anonymous Coward | more than 6 years ago | (#23247866)

Bullshit, fact is I am blocking their sorry ass. And if anyone is letting spammers get ahold of their core routers, they need their ass blocked until they can get their crap secure

Firewall Updated (1)

Bigbutt (65939) | more than 6 years ago | (#23246792)

Thanks.

[John]

Why the disclaimer? (0)

Anonymous Coward | more than 6 years ago | (#23246832)

Why the big, strange disclaimer whenever I try to follow links on the independent investigation page? I just skimmed the whole thing and closed it. I don't mind that you're going after spammers. In fact, I encourage destroying them!

But what was the point of pages of legal disclaimers? Do you really need them to fight off shyster spammer lawyers these days? Though to be fair, I suppose the original green card spammers really were sleezebag lawyers...

Re:Why the disclaimer? (1)

Kadin2048 (468275) | more than 6 years ago | (#23247896)

I think those only appear on links to the spammer's site. It's a little weird but the investigation page has a couple of links that point to pages that immediately redirect to the spammer's site.

I don't know if he's doing that to avoid giving them the link or what. (Seems to me he'd be better just not linking at all, but what do I know.)

But the site that pops up that weird disclaimer and requires you to agree before you can get to the actual site -- that's the site for the spammer's front company that provides the routing to the stolen IP ranges (JKS Media).

I say they can have it... (1)

Talez (468021) | more than 6 years ago | (#23246868)

# ip route add blackhole 134.17.0.0/16
# route -n

All good!

Blackhole == Defeat! (4, Insightful)

Fluffeh (1273756) | more than 6 years ago | (#23246872)

If the IP is simply blackholed, you are by lack of argument allowing this Spammer to put some sort of credible hold on that IP. That's like finding a squatter in a house on the street where the owners have gone on holiday - and simply putting a peice of tape across the driveway - it doesn't solve the bigger problem which is that someone walked into the house and started living there without any credible reason of doing so. It doesn't solve the problem of what's going to happen when the people return from holidays and find this squatter in their house.

Also, if we simply blackhole that IP, what's going to happen when a legitimate user tries to use that space. It's going to go to bollocks for them when they find that the rest of the net is ignoring them already.

Re:Blackhole == Defeat! (1)

spamhostage (1281566) | more than 6 years ago | (#23247062)

I need help I work for a spammer and pretty much hostage unless its shut down, i cant take it any more any suggestions

Re:Blackhole == Defeat! (1)

Nullav (1053766) | more than 6 years ago | (#23247080)

So let 'em have it. Then we can start citing it as even more reason to move over to IPv6 already.

Re:Blackhole == Defeat! (1)

QuantumG (50515) | more than 6 years ago | (#23247308)

That's like finding a squatter in a house on the street where the owners have gone on holiday
Huh? That's not squatting. If the premises are occupied then it is trespass. I know this must be hard to understand in the US where there are no sensible squatting laws, but in civilized world squatting is where you are living somewhere that is vacant without the authorization of the owner. Squatting serves an important purpose: to force property owners to develop the property. Otherwise all the buying up property for the purpose of speculating on an increase in the market would result in widespread homelessness.

Re:Blackhole == Defeat! (1)

John Hasler (414242) | more than 6 years ago | (#23247344)

> I know this must be hard to understand in the US where there are no sensible squatting
> laws...

Google "adverse possession".

> Squatting serves an important purpose: to force property owners to develop the property.

Why is necessary that all property be "developed"?

> Otherwise all the buying up property for the purpose of speculating on an increase in
> the market would result in widespread homelessness.

You have a defective understanding of economics.

Re:Blackhole == Defeat! (1)

Fluffeh (1273756) | more than 6 years ago | (#23247694)

Goodness me, that's so utterly way off the mark :)

Quote:
squatting is where you are living somewhere that is vacant without the authorization of the owner

Yes, and the problem here is that when the owner comes to the squatter and says "I would like you to go somewhere else as I would like to [insert reason]." the squatter then replies with "But I have been living here for [insert length] and I ain't moving."

The IP address they have been using does not belong to them.
Rather than putting forward the plan to get them to move along (or even shock/horror) BUY a place to reside in, people here seem to think that blackholing them (simply pretending they don't exist reallistically) will fix the problem.

Quote:Otherwise all the buying up property for the purpose of speculating on an increase in the market would result in widespread homelessness.

Goodness me, I don't even want to touch that. Just how much land do you think is in the world without someone laying claim to own it at the moment, whether it is behind a "Ma and Pa" farm, a track of wilderness or acres and acres of land behind a fence somewhere? Simple answer: There isn't a square centimeter of land on the earth that doesn't have someone as an owner. It has utterly nothing to do with homelessness @_@

Re:Blackhole == Defeat! (1)

NeumannCons (798322) | more than 6 years ago | (#23247810)

The Antarctic has a pie shaped portion of land without any recognized owner (between 90 degrees w and 150 degrees west - about a 1/8 slice of the antarctic "pie"). All the other land is claimed by one country or another -- sometimes the same land is claimed by more than one country and depends on who you have a treaty with determines who you believe.

Re:Blackhole == Defeat! (1)

mysidia (191772) | more than 6 years ago | (#23247342)

Temporarily blackholing the IP range is the easiest way to stop spam.

If you are really concerned about re-assignment: an alternative would be to blackhole (or convince your upstream to blackhole) route advertisements from peers with the origin AS of the hijacker or supposed hijacker, I.E. AS # 32311 (if you believe it's hijacking 134.17.0.0/16).

If you have a default route to a provider that doesn't implement a similar policy, then you'd probably need to carefully override that default with some manner of exclusion or special (non-advertised) static entry, intended to be overriden if the prefix later gets advertised from another source.

Snotty Scotty Richter (3, Informative)

kchrist (938224) | more than 6 years ago | (#23246896)

OptinRealBig belongs to none other than Snotty Scotty Richter [flickr.com] . I haven't heard of that guy in a while. I was hoping he had been hit by a bus or something.

Blackholing this address space may not be wise (5, Insightful)

Whuffo (1043790) | more than 6 years ago | (#23246900)

If you're going to add this address space to your firewall or block it at the router - consider that this rogue outfit is likely to be taken down soon, and that address space may then be assigned to a legitimate operation. There's not an unlimited number of addresses left in IPv4 you know.

What's been happening for years now is well-meaning admins blocking various IP addresses / blocks and/or domain names. Their motives are good, but after the address or domain name is blocked they almost never go back and recheck to see if the block is still needed. What this leads to over time are holes in the address space that can't be used, awkward or no routes to some addresses from some other addresses, etc. Especially in this time of zombie machines; blackhole that IP address and you've knocked some individual off line - but you've done nothing to reduce the amount of spam / viruses / worms / etc.

This is what killed ORBS and other services of that type. Easy to add domains / addresses to the blocklist, but difficult to remove them. Eventually the list becomes useless...

Much better solution: make an example out of the people who are squatting on this netblock. Break out the pitchforks and torches...

Re:Blackholing this address space may not be wise (4, Insightful)

v1 (525388) | more than 6 years ago | (#23246930)

He has to peer somewhere. THEY should be the ones to blackhole him. One way or another he has to be paying someone off to route in his direction. I don't see why that's hard to cut off?

Re:Blackholing this address space may not be wise (3, Insightful)

mysidia (191772) | more than 6 years ago | (#23247104)

If you're willing to pay enough for the bandwidth you will probably find a major provider to let you advertise your range.

For the origin of that range to get as far as they have, they clearly had paperwork to prove to their upstream that the range is assigned to them.

You're their customer. Without a very good reason to do so, they won't (can't) blackhole you without violating whatever interconnection agreement was signed.

Temporarily blocking a range should cause no permanent issue for the new owners, not that a range like that one can be re-assigned quickly.

Since it had already been used before, very possibly the range would be considered un-assignable, just like the class E ranges and other ranges which were originally reserved/special.

But you see, it's better to have a range be unusable than to have a range with bad documentation that can be occupied by whatever spammer wants to occupy it.

(Or: blackholed is better than can be freely occupied on tenuous or ridiculous reasoning arising out of strange circumstances -- like the person who wants to occupy it used to be a contact for the the defunct organization who it was once registered to)

Re:Blackholing this address space may not be wise (1)

Burdell (228580) | more than 6 years ago | (#23247850)

For the origin of that range to get as far as they have, they clearly had paperwork to prove to their upstream that the range is assigned to them.
Except they don't. The IANA/ARIN records for that block show it being assigned to SF Bay Packet Radio in 1999. However, the nameservers appear to have been changed in October 2007 to sfbprservices.com, which is then registered by Media Breakaway (trying to pretend to be the original owner). Apparently, their upstreams (Level3, Cogent, and XO) did not do any checking, nor are they doing proper route filtering. IIRC all three of those companies are hurting finacially, so they probably just looked the other way because they need the money.

Re:Blackholing this address space may not be wise (1)

steveb3210 (962811) | more than 6 years ago | (#23247364)

The easiest solution I see is to blackhole the BGP route annoucement from its current ASN.. no annoucements, no ip block.

Re:Blackholing this address space may not be wise (1)

SaDan (81097) | more than 6 years ago | (#23247830)

I think everyone who has the capability should start announcing the same netblock via BGP.

Re:Blackholing this address space may not be wise (1)

Kadin2048 (468275) | more than 6 years ago | (#23247954)

They have what looks like a front company with an ASN that advertises routes to the stolen address space.

It's "JKS Media" and they have ASN 32311 [fixedorbit.com] .

Peers include Cogent, XO, Level3, and 360Networks.

IMO, it's the networks peering with JKS that need to pull the plug, rather than having every sysop on the net blacklist either the ASN or the IP address range.

Re:Blackholing this address space may not be wise (1)

Fluffeh (1273756) | more than 6 years ago | (#23246940)

Hey! It's pitchforks and flaming brands, not torches...

See here! [slashdot.org]

Re:Blackholing this address space may not be wise (0)

Anonymous Coward | more than 6 years ago | (#23247708)

I don't know what stone age tech you are using. But my firewall runs in connection with an RDBMS. Takes care of itself, adopting to new threads by analyzing network traffic and clean up stuff that is not needed anymore.
There is no fixed list.

Re:Blackholing this address space may not be wise (0)

Anonymous Coward | more than 6 years ago | (#23247890)

If you think services like ORBS have been "killed" then you obviously don't have any exposure to dealing with spam whatsoever. You certainly don't have a clue. ORBS was done in by spite listings.

Spammers know no limits (4, Insightful)

erroneus (253617) | more than 6 years ago | (#23246902)

There's only one true solution to the problem of spammers. Death. I'm not joking. These people that create botnets, hijack networks and servers so that they can sell advertising are creating problems on a global scale for money. Nothing but death will stop or deter them. They need to die.

It's good that I do not own any firearms and good that I do not know where these people live and good that I lack the means to get there. If I had those things and an air-tight alibi, I wouldn't hesitate to make my first murder one of these people.

Re:Spammers know no limits (2)

dfm3 (830843) | more than 6 years ago | (#23247070)

Dude. Back away from the computer, get out of the basement for a little, and maybe step outside for a minute to take a breather. I'm not joking. ;-)

Re:Spammers know no limits (0)

Anonymous Coward | more than 6 years ago | (#23247788)

Dude. Back away from the computer, get out of the basement for a little, and maybe step outside for a minute to take a breather. I'm not joking. ;-)


Neither is he, and neither am I. When a person or small group of people inflict millions upon millions of man hours worth of damage, how long is it before we start tallying up the number of lifetimes they've cost the population at large by inflicting their bullshit?

I work for a 50k person organization, and I spend ten minutes a day at work clearing out spam and phish that made it through the filters. Some of it looks legit enough at first blush that you can't just summarily shitcan it. Across my organization that's 8300 hours if others have the same issue, or about 50 man-weeks. So getting loose and fast with the numbers, these assholes are costing us a man year every work day. We can do without this and the people causing it. The parasites need to perish.

I say at eighty man years it should be a mandatory death sentence, preferably by a slow and painful method and shown on the net.

Re:Spammers know no limits (1)

ForumTroll (900233) | more than 6 years ago | (#23247174)

I wouldn't hesitate to make my first murder one of these people.
First? You plan on murdering other people?

Re:Spammers know no limits (1)

aliquis (678370) | more than 6 years ago | (#23248042)

Probably? I think many people could come up with others they would have wanted to see dead if possible and safe for themself.

Re:Spammers know no limits (1)

owlnation (858981) | more than 6 years ago | (#23247210)

Hmmm... I'm not sure modding him flamebait was really fair. He does have a point, all too scarily emphatic about it, but a point nonetheless. He's on that cusp between funny, insightful and flamebait. It's not really flamebait since he's only likely to offend spammers, and I'm not sure we really should care what they think.

We do definitely treat spammers (and lawyers) with far too much leniency in society. Spammers, direct marketers, viral marketers should all be in prison for a very, very long time. If Wesley Snipes gets 3 years for a misdemeanor, Spammers should get life for sure.

Re:Spammers know no limits (1)

erroneus (253617) | more than 6 years ago | (#23247248)

For years I've been trying to explode their heads with my mind... it hasn't seemed to work yet.

Re:Spammers know no limits (0)

Anonymous Coward | more than 6 years ago | (#23247654)

So... Umm... How big a bounty do we need to post before you suddenly decide that those problems are solvable?

Re:Spammers know no limits (1)

aliquis (678370) | more than 6 years ago | (#23248058)

And how long before Paypal decides the money are theirs? :D

"Hijack?" (4, Interesting)

PhotoGuy (189467) | more than 6 years ago | (#23246950)

Apparently, the President of Media Breakaway has now admitted to the Washington Post that his company has been occupying and using the 134.17.0.0/16 block and that front company JKS Media, which provides routing to the block, is actually owned by Media Breakaway.

If he is president of a company that owns the company that provides routing for the block, doesn't that mean he has legal ownership of that block?

Yes, if the block is used primarily for spam, I'm all for people blackholing the range. And if he's using it for illegal purposes, yes, he should be punished (and the range appropriated). But I don't see where the term "hijacking" could be applied at all.

If I own some cars and use them in crimes, I haven't "hijacked" anyone.

What am I missing?

Re:"Hijack?" (1)

Fluffeh (1273756) | more than 6 years ago | (#23246996)

You are missing the fact that his so called "ownership" is in his eyes only, not that of anyone else.

Just becuase you squat doesn't mean you own.

Quote:
Remarkably, the president of Media Breakaway, who happens to be an attorney, is trying to defend his company's apparent snatching of this block based upon his own rather novel legal theory that ARIN doesn't have jurisdiction over any IP address space that was handed out before ARIN was formed, in 1997.

Re:"Hijack?" (4, Informative)

jon787 (512497) | more than 6 years ago | (#23247140)

That it doesn't belong to the parent company either:

$ whois 134.17.0.0

OrgName: SF Bay Packet Radio
OrgID: SBPR-1
Address: 1490 W 121st Ave
Address: Suite 201
City: Westminster
StateProv: CO
PostalCode: 80234
Country: US

NetRange: 134.17.0.0 - 134.17.255.255
CIDR: 134.17.0.0/16
NetName: BAY-PR-NET
NetHandle: NET-134-17-0-0-1
Parent: NET-134-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.SFBPRSERVICES.COM
NameServer: NS2.SFBPRSERVICES.COM
Comment:
RegDate: 1989-04-12
Updated: 2007-10-05

Re:"Hijack?" (3, Interesting)

Kadin2048 (468275) | more than 6 years ago | (#23248040)

Humm ... San Francisco Packet Radio ... with a Colorado mailing address. Somehow I don't think so.

It looks like what they did was just register a company with a similar-sounding name to a defunct organization that had an old /16. Then they went to ARIN and got control of it on the strength of the similar name, including getting themselves listed in WHOIS. (Which, when you think about it, isn't that hard -- there's no real authentication mechanism for proving you're the "real" San Francisco Packet Radio.)

Then they had another front company obtain an AS number and provide routing, and suddenly they have lots of IPs from which to send spam.

The even-creepier part is that it looks like they have another block stolen through similar means (currently registered to a P.O. box in NYC) and possible connections to Russian spammers, which means basically the Russian mafia.

Here's hoping that when the whole thing falls apart, the Russian mob comes calling for this guy's head. Ironically they're the best chance for this guy getting the slow, painful death he so richly deserves.

Re:"Hijack?" (1, Insightful)

Anonymous Coward | more than 6 years ago | (#23247232)

It more like squatting in a car dealership and stealing the cars to use in crimes. You can "claim" to own it but you don't, but if everybody blacklists it the legitamate owners can't use it either.

He's only pretending to be a HAM! (1, Interesting)

Anonymous Coward | more than 6 years ago | (#23247592)

Per my reading of TFA, he made a phony company under the name of the real (but apparently defunct) Amateur Radio group that actually owned that IP block once upon a time, then pretended to be them.

That's what you're missing.

Ralsky the fucker (0)

Anonymous Coward | more than 6 years ago | (#23246954)

Find out where he lives, and sign his ass up for every free catalog on the planet.

Re:Ralsky the fucker (1)

timmarhy (659436) | more than 6 years ago | (#23247176)

it's been done, and ironically he claimed it was harassment.

pot calling kettle black.

To read this comment (2, Funny)

lisany (700361) | more than 6 years ago | (#23246984)

I'm sorry but to read this comment you must accept the terms of service of my crappy comment. Please click your back button to accept terms of service.

A lack of ethics (4, Interesting)

mlwmohawk (801821) | more than 6 years ago | (#23246994)

I will continue to say it every time I can.

We need a strong societal repudiation of the violation of ethics. Organizations like Microsoft, SCO, and the like and people like Bill Gates, Darl McBride, etc. need to be made pariahs for the shameless unethical and illegal behavior.

"Spamming" is unethical. The only reason why it is done is because their unethical behavior is not shunned.

And what is spam? (1)

Jane Q. Public (1010737) | more than 6 years ago | (#23247032)

There must be a line somewhere: this is spam and that is not. Current U.S. law defines it pretty specifically.

Re:And what is spam? (1)

mlwmohawk (801821) | more than 6 years ago | (#23247312)

It is like the definition of PORN. Unfortunately, it is "I know it when I see it."

Re:And what is spam? (1)

Jane Q. Public (1010737) | more than 6 years ago | (#23247538)

Ah... but it's not. That was my point. Spam has a narrow legal definition. If they are on the "proper" side of that line then they are "mass mailers", not "spammers".

I might agree with you that even legal bulk mail is annoying... but if it is that annoying, then we should change the law, yes?

Re:And what is spam? (1)

Kadin2048 (468275) | more than 6 years ago | (#23248104)

The legal definition of "spam", at least on the Federal level, was crafted with help from spammers themselves (oh, I'm sorry, they're "mass marketers" now). Good thing nobody cares: they're still spammers in the eyes of God and the Internet. Those 'mass marketers' using their CAN-SPAM-approved "free shot" on everyone's email address? Spammers. You know it, I know it, the people who write spam filters know it; hell, even the spammers themselves probably know it.

The fact that the U.S. Congress -- a pretty thoroughly corrupt organization even on its better days (and CAN-SPAM was not a 'better day') -- slapped the rubber-stamp of approval on some behaviors doesn't make them right, or for that matter even acceptable in polite society.

It's a huge mistake to hand over the definition of "spammer" to a bunch of people who don't have the faintest clue how the Internet even works. They may make the laws, but they don't have one iota of credibility when it comes to talking about what's reprehensible behavior and what's not.

Re:And what is spam? (1)

aliquis (678370) | more than 6 years ago | (#23248084)

Just ban all sorts of advertisment for all I care :)

Re:A lack of ethics (1)

spamhostage (1281566) | more than 6 years ago | (#23247322)

Help me how the hell do take down a spammer I work for with out them knowing so

Re:A lack of ethics (1)

Prisoner's Dilemma (1268306) | more than 6 years ago | (#23247526)

Add a bunch of .gov and .mil addresses to the email lists

Re:A lack of ethics (0)

Anonymous Coward | more than 6 years ago | (#23247452)

What about other illegal conduct, such as copyright infringement? Is that OK?

Re:A lack of ethics (1)

xdroop (4039) | more than 6 years ago | (#23247490)

You, sir miss the obvious.

The, ah, "only reason why it is done" is because there's money in it.

Set firewalls on shun! (2, Funny)

zerofoo (262795) | more than 6 years ago | (#23247048)

Boy, that was a cheezy joke huh?

-ted

what's the big deal? (1)

ILuvRamen (1026668) | more than 6 years ago | (#23247188)

I assume they mean they own 134.17.0.0 through 134.17.0.16, right? What's the big deal? If I owned 16 web servers, I'd have control over a block that size too. Even if they mean it goes up to 134.17.16.255 large web hosts can own that much too. Now if they stole all of 134.anything that'd be bad.

Re:what's the big deal? (2, Informative)

wytcld (179112) | more than 6 years ago | (#23247212)

Um no. Everyone else knows this. But might as well clue you in. They've claimed 134.17.*.* - all of it.

Re:what's the big deal? (0)

Anonymous Coward | more than 6 years ago | (#23247268)

/16 is the whole network block, for 65-thousand whatever addresses... so 192.168.0.0 /16 is what is appropriated for private use

Re:what's the big deal? (1)

Ron Bennett (14590) | more than 6 years ago | (#23247286)

No, it means they control 134.17.0.0 to 134.17.255.255 ... NOT 16 addresses, but rather 65,536 addresses. Though still a far cry from them controlling all of 134, since they only have 1/256 slice of it.

Ron

Re:what's the big deal? (2, Informative)

Have Blue (616) | more than 6 years ago | (#23247450)

The "/16" means they claimed the remaining 16 bits of the 32-bit IP address whose first 2 bytes are 134.17 in decimal- everything from 134.17.0.0 to 134.17.255.255. That's one of only 65,000 blocks of its class available and is the sort of range that would be owned by a large corporation or university.

who is linking this to the backbone? (2, Insightful)

timmarhy (659436) | more than 6 years ago | (#23247220)

this has a very simple fix. major backbone providers like at&t need to cease routing from providers who allow this kind of misconfiguration of the internet.

because that's all it is, a mid level isp has added someone to their routing tables with ip's that they have no right to. simply telling their provider to correct their configurations or all their traffic will be dropped should be enough, indeed it should be mandatory for backbone providers to do this in order for them to legally keep their own ip ranges. anything else is asking for people to start claiming ip's all over the place and before you know it each isp will route you to a different site for the same ip, making the internet useless.

Re:who is linking this to the backbone? (1)

akirchhoff (95640) | more than 6 years ago | (#23247658)

I poked around a little, and it looks like Level3 ,XO and cogent are peering directly with them.

Probably others as well.

This is good news (1)

CustomDesigned (250089) | more than 6 years ago | (#23247276)

Now I can just add that entry to my IP blacklist...

Interesting problem... (0)

Anonymous Coward | more than 6 years ago | (#23247324)

I'm just going to analyze this as if it were on my 1L property exam... which I am currently studying for, and is on Thursday.

The first thing I ask is: Did Media Breakaway acquire interest in the IP space from any predecessor? If Media Breakaway is a bonafide purchaser for value, it will be difficult to challenge their title.

The second question I ask: How long has Media Breakaway been using the IP space? Adverse possession for IP addresses is certainly a novel theory, but the same public policy reasons that support adverse possession for land apply to IP address space as well. They are both finite (at least, IPv4 space is finite), and there is a public interest in having concrete title. For land, the statutory period for adverse possession in most jurisdictions is twenty years. Due to the fast pace of change on the Internet, a shorter period is surely justified. The period should be at least two years. A period of five years would be very appropriate. Five years would give the true owner plenty of time to notice and end the trespass.

The real problem here is likely standing. A third party won't have standing to bring a trespass action. The true owner would have to bring any such action.

A more troubling problem is whether ARIN has standing to sue. ARIN has an interest in all unallocated IP space. This interest includes space that was previously allocated but has since been returned. If ARIN can show that this space was returned, then ARIN will likely have standing. Without such a showing, ARIN would not have standing, as ARIN would not be able to show that any damages had been suffered.

I hope I get an 'A'. Any law professors on /. that want to grade my submission?

Re:Interesting problem... (1)

mysidia (191772) | more than 6 years ago | (#23247930)

IP addresses are not property. They are numbers you configure your network equipment to use.

Central registries exist and assure that everyone who respects the registry (the _consensus_) will configure their equipment and define their routing policy around their guaranteed unique numbers, and there will be no conflicts between networks as long as everyone respects the registry.

The enforcement mechanism against someone attempting to use addresses assigned to another network, is that other providers will not connect to you, or will not route the IP to you (that the registry indicates is assigned to someone else).

The regional registries indicate which ips have been placed into use -- and to what organization the range is currently assigned: they do not denote ownership of the IPs, and depending on relevant registry policy, assignments may be revoked, renumbered, or re-assigned against the contact's will, under some circumstances.

IP or IP? (1, Interesting)

Anonymous Coward | more than 6 years ago | (#23247380)

Slashdot is notorious for using "IP" to mean both "Internet Protocol" and "Intellectual Property", so I read the headline as "Spammers Hijacking Intellectual Property Space".

By George he's got something there (1)

JustNiz (692889) | more than 6 years ago | (#23247400)

>>> Breakaway, who happens to be an attorney, is trying to defend his company's apparent snatching of this block based upon his own rather novel legal theory that ARIN doesn't have jurisdiction over any IP address space that was handed out before ARIN was formed, in 1997."

By George he's right! I'm gonna lay claim to 127.0.0.1. oh wait I already seem to own it...

Re:By George he's got something there (1)

GuruBuckaroo (833982) | more than 6 years ago | (#23247516)

Oh my god. I thought I had wasted 5 minutes reading through the posts on this thread. This made it worth it. Thank you.

I wish it weren't illegal (1)

Associate (317603) | more than 6 years ago | (#23247438)

to set people like this on fire.

I'm All For It (1)

hardburn (141468) | more than 6 years ago | (#23247446)

If ARIN doesn't control IP addresses assigned before it started, then it basically means a return to classful routing. And then everyone would be pretty much forced to use IPv6.

I say go for it.

Here's an idea. Lets start by makeing spam illegal (1)

Prisoner's Dilemma (1268306) | more than 6 years ago | (#23247478)

On a federal and international level. While it doesn't solve the problem entirely. It would at least be a step that could be leveraged in situations like this. Also, make the creating/initiating criminal offensives, so there can be more than just monetary damages.

The sparse, narrow state level laws that currently exist can only be use in rare cases are not able to be uses on a large scale or frequently.

Re:Here's an idea. Lets start by makeing spam ille (1)

zymano (581466) | more than 6 years ago | (#23247550)

Exactly. All the stupid ideas floated by techocrats wont work. A firewall will work somewhat but you still have to get these guys in your own homeland.

These guys ARE CRIMINALS. They are committing telephone fraud and this idiot judge just bought their snakewater.

If my online co. was attacked with this crap I would sue but also contact FBI or local police and arrest these fools.

Re:Here's an idea. Lets start by makeing spam ille (1)

Kadin2048 (468275) | more than 6 years ago | (#23248188)

Um, they did that, at least in the U.S. It's a perfect case of the cure being worse than the condition.

The law Congress passed, called CAN-SPAM Act [wikipedia.org] , was pretty quickly called the "YOU CAN SPAM Act" and for good reason. It has so many loopholes and outright legitimizations of spam that it's basically worse than useless.

As a bonus, as if greenlighting spam at the Federal level weren't enough, when they passed it they invalidated all the state laws that were tougher on spam, and also prevented any state from passing tougher laws in the future. Nice, eh? I hope the spammers -- oops, I mean direct marketers, because they're legit now -- got their money's worth.

And that, kids, is what you get for asking for help from the government.

easily fixed...... (2, Funny)

Indy1 (99447) | more than 6 years ago | (#23247486)

" I felt a great disturbance in the internet, as if 65535 ip addresses suddenly cried out in terror and were suddenly silenced. I fear something terrible has happened. "

iptables -A spam -s 134.17.0.0/16 -j DROP

F-ing criminal shytering jews. (0, Troll)

zymano (581466) | more than 6 years ago | (#23247532)

They are committing fraud.

What an idiot fucking judge.

Call the damn police in their area and have the SHYSTERING bastards arrested.

.gov and .mils (1)

spamhostage (1281566) | more than 6 years ago | (#23247568)

wish i could dont have access to the lists

Ummm.. (0)

Anonymous Coward | more than 6 years ago | (#23247630)

Skylist which was bought by Datran Media controls the whole 69.56.0.0/16 block. They conform to FCC compliant standards for Spam but they're still a spammer. If you sign up on eBay, they're default is to allow 3rd parties to send you email, newsletters, etc. This is even if you change you're profile, you'll still find yourself in many of the databases that Skylist/Datran have clients served up on using their software. I did a test, signed up for eBay, found myself on 5 databases for 3 different companies. Took me many many opt outs to stop receiving emails from them.

Blacklist (1)

f0d0 (140677) | more than 6 years ago | (#23247808)

Just added the following line to /etc/postfix/blacklist:

134.17 550 You are on our blacklist :)

How much is a /16 worth anyway? (1)

snsh (968808) | more than 6 years ago | (#23247986)

The government entity I work for operates a class B, and we waste IP addresses for all sorts of things. In a couple places, we have entire routable class C subnets being used for both ends of a serial link for a branch office T1. It's so easy to waste IP's when you have 64k of them, and really only need several hundred.

So what I wonder is, how much are these large IP ranges worth on the open market? I know class A is impossible to come by. Class B you can get by acquiring random organizations like SF radio. About a year ago didn't ARIN start allowing people to buy/sell IP addresses for profit? Before you either had to use them, or release them out of benevolence. I wonder what market value is.

Running out of IP Addresses? (1)

PRMan (959735) | more than 6 years ago | (#23248056)

And what ever happened to the alleged impending crisis of the world running out of IP addresses? If phantom companies, operating out of P.O. boxes, and lacking any real existence whatsoever... except on paper... can get their own /16s and /18s every day of the week, then it's no wonder the world is running out of IP addresses.

Seriously.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>