[arin-ppml] Policy question

Ronald F. Guilmette rfg at tristatelogic.com
Fri Sep 21 19:48:09 EDT 2012 

Two days ago (9/19)
In message <26463.1348088490 at tristatelogic.com>, I wrote:

>Is this statement of policy still active and in effect?
>
>   https://www.arin.net/announcements/2003/20031014.html
>
>I am particularly curious about the policy specified in the final sentence.

Just FYI for everybody here... That was not just an idle question.

I wanted to do some more research before outting this one, but it seems
that the boys & girls at Spamhaus decided to steal my thunder. :-(

Apparently, they went public about the 147.50.0.0/16 block just yesterday:

   http://www.spamhaus.org/sbl/listings/arin

This block was being routed, continuously, by AS23141 ever since sometime
between 2011-12-23 00:00 GMT and 2011-12-23 02:00 GMT, as far as I can tell,
and presumably right up until Spamhaus outted it yesterday.

This hijack was extra-ordinarilly clever, in at least two ways.

First, the perp(s) in this case somehow managed to find a /16 which not
only had been abandoned (and presumably forgotten about) by it's original
owners, but also where the original POC who was previously listed for
the origanization that owned the block (... sorry... that had ``registered''
the block) was in no position to contradict or dispute ownership of the block:

   http://www.redmonfuneralhome.com/tim-tausch

<digression>
A relevant quote from the classic film noir "Chinatown":

     "He passed away two weeks ago and one week ago he bought the land.
      That's unusual."
                        -- Jake Gittes
</digression>

Second, as noted above, routing for the hijacked /16 was first established
on the Thursday just before Christmas weekend, 2011... a wonderful time of
year when pretty much everybody is NOT paying all that much attention to
anything other than last minute gift shopping and how to get little Johnny
to get a haircut before the in-laws arrive.

Other than these artful touches, the hijack was accomplished the usual way.
The rightful owner is named "Chemstress Consulting" and it owns and operates
the domain named "chemstress.com".  The original POC record never actualy
had an e-mail address associated with it, so the perp(s) simply registed
the new domain name "chemstressconsulting.com" (on or about 2011-08-19)
and then waited patiently until 12-12-2011, when they tricked ARIN into
using their newly manufactured POC contact e-mail address of
"ttausch at chemstressconsulting.com" as the new POC contact e-mail address.

After that, they waited until it was practically Christmas eve before
administering the coup de gras, i.e. actually getting routing for the block,
which the perp(s) obtained from AS23141, Doylestown Communications Inc, aka
"ohio.net", which itself, and previous to this incident, only had slightly
over a /18 to call it's own.  (So routing a entire new /16 must have been
a pretty big deal for them.  Probably not something they did accidentally
or without thinking.)

As usual, I only found this hijack because I had found some other suspicious
and obviously spammy stuff that traced, ultimately, back to that block.  Yes,
this hijacked block _was_ most definitely being used for snowshoe spamming.


Regards,
rfg


P.S.  This case represents blatant, two fisted fraud against both ARIN and
the entire Internet community.  I would like to see someone go to jail for
this.  And it would clearly NOT be at all hard to find the actual guilty
party in this case.  As Deepthroat famously said "Follow the money."  This
perp left a trail a mile wide.  If it were me, I would:

      1)  Send a subpona duces tecum to Doylestown Communications, demanding
          production of all documents in their possession relating to the
          customer for whom they were announcing the 147.50.0.0/16 route
          (which they did, continuously, for a period of nearly 9 months).

      2)  Send a subpona duces tecum to Enom, demanding production of all
          documents in their possession relating to the customer for whom
          they registered the domain name "chemstressconsulting.com" on
          2011-08-19.

If law enforcement proved unwilling to take these simple steps, I think
that it would involve minimal expense for ARIN to file a "John Doe" civil
case and pursue these steps on its own.

Note that just because one _opens_ a civil case and sends out subpoenas in
relation to that, that _does not_ commit one to following through all of
the way to trial.  That is entirely optional for the plantiff, and the
plaintiff can quit the case at any time.  In short, there is no need for
ARIN to spend a lot of resources on this.  Just getting to the point where
the perp can be publically outted and shamed would, I think serve the cause
of justice far more than if ARIN just sat back and let this kind of thing
be perpetrated against them, over and over and over again.  (And obviously,
it is really up to ARIN if it wants to DO anything about these kinds of
frauds.  IP and ASN hijackings have occured in spades over the past few
years, and yet there has never been a single criminal action brought
against any of the perps, ever.  Translation:  LE doesn't give a rat's
ass about this stuff.  Thus, the ball is clearly in ARIN's court.)

More information about the ARIN-PPML mailing list