[arin-ppml] Beneficial Owners
Ronald F. Guilmette
rfg at tristatelogic.com
Tue Jul 17 04:36:38 EDT 2018
Quite reasonably, Mike Burns challenged me as to why I might be
more irritated to see network abuse, of one kind or another,
arising out of ARIN-issued resources, relative to the same sorts
of abuse arising out of resources issued by other RIRs.
As a result, I've been forced to agree that in the context of
"bad stuff ion the Internet" the specific region it arises from
is not really all that relevant. Bad stuff is bad stuff no matter
where it comes from.
Noneless, I'd like to take a few moments and present two case
studies that may perhaps illuminate the sources of some of my
recent annoyances, and then ask for opinions as to what, if anything
ARIN might be able to do better that might have any bearing on these
types of situations, in general. ("Fixing" or "actioning" individual
problem spots is Good, but I, for one, am always looking for generalized
types of fixes that might alleviate every member of an entire class
of problems, for the future.)
+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_
Case #1)
--------
AS16628
NET-104-171-144-0-1 104.171.144.0/20
NET-104-237-224-0-1 104.237.224.0/19
NET-104-237-241-0-1 104.237.241.0/24 -- NOTE: sub-block of 104.237.224.0/19
NET-107-181-112-0-1 107.181.112.0/20
This one came to my attention just because whoever runs it was giving aid
and solice, briefly, to a different company named Bicanal, in the form of
a /24 sub-block of their space that they allowed Mr. Bitcanal to route to
himself, briefly.
(As some here may be aware, Bitcanal and its owner are not exactly favorites
of mine, and the company and its owner have recently suffered a notable
loss of quite a lot of their former connectivity, which, in my opinion, is
all to the good.)
Anyway, it appears to be the case that the actual name of the company in
this case is really "Dedicated Fiber Communications, LLC", but this full
corporate name only appears in one out of four of the relevant ARIN IPv4
WHOIS records, as listed above. (And that is another small thing that I
could, and perhaps should beef about. Why does life have to be so hard
for us investigators? Why can't we at least have the WHOIS records for
all direct ARIN allocations containing the real and full legal name of the
registrant?? Oh well. We'll save that small gripe for another day.)
It's possible that there exist many different LLC with this exact same name
in many different jurisdictions, including in arbitrary overseas countries.
In other words, as we speak there could be a "Dedicated Fiber Communications,
LLC" which has formal, legal existance in Belize, and another one with
this exact same name also in U.A.E., another one in the Seychelles Islands,
the Isle of Man, Scotland, Panama, and so forth, almost ad infinitum.
And it is even possible that none of these would have anything at all to
do with any of the others. So the first step in trying to establish the
real "who" of any corprate entity is to start by establishing the "where"
of the entity.
In this specific case, the relevant ARIN WHOIS records give us some clues
as to where this specific company... the one with the IPv4 blocks... is
actually located. But even those clues from the ARIN WHOIS records are
conflicting. One of the four lited above says that this company is in
Scotland, and the rest seem to say it is in Delaware (USA).
In fact, there -does- exist a Delaware LLC with this exact name. It was
incorporated in Delaware on 2014-01-14. In contrast, the web site of the
UK's "Companies House" corporate registry -does not- indicate that any
such company is, or has been properly and formally registered within the
UK. (And for those of you not well versed in political geography, that
includes Scotland... for the time being at least.)
Anyway, I wanted to ask the proprietor(s) of this place why they were
being so kind as to help out Bitcanal in its time of need, so I wrote to
the contact email address as listed in the relevant ARIN WHOIS records.
(See above,) That address was/is <noc at dedfiber.com>.
A short while later I got a reply -not- from any @dedfiber.com address,
but rather from this guy:
Ali Hajyani <ali at hajyani.info>
RIPE WHOIS records (e,g. AH27894-MNT) as well as other information I found
online indicates that this guy is actually an Iranian national, most likely
living and working in Iran as we speak.
Anyway, this fellow seems to be the real registrant behind the set of IPv4
CIDRs listed above, which includes a /19, and two /20s. It appears
most probable that in eary 2014, at the height of the U.S/Iran sanctions,
this guy got himself a Delaware LLC..,. which he either created or bought...
and within 1 day thereof, he applied for and was issued an ARIN /19 and
two ARIN /20 blocks.
I have to assume that this all took place at a time when ARIN was still
flush with available IPv4 space.
I still don't much like it. I mean we in the United States, and also our
various allies within North America, the Caribbean, and elswhere, have
all been waging an ongoing simmering low-level international conflict
with Iran for lo these past many years... over both their nuclear ambitions
-and- their support of groups such as Hezbollah. So on the one hand we've
been working to make life difficult for them, but then on the other hand
we appear to have been selling them nice juicy chunks of IPv4 real
estate. And we have have been doing so during a time of IPv4 "shortage",
which makes it all the more inexplicable, to my way of thinking.
Of course, I may just be totally misreading what really took place here.
Maybe there was an existing company named "Dedicated Fiber Communications,
LLC" -somewhere- in the world and maybe it got bough by this Iranian
guy well after it received its IPv4 blocks from ARIN. But even if that's
the case, I still have a bit of trouble understanding why and how a
Delaware company could have been formed fresh on 2014-01-14, like Venus
arising from the Sea, and then, within one day, on 2014-01-15, ARIN
felt that this company... which the ink wasn't even dry on yet... should
get three IPv4 blocks totally the equivalent of a /18.
I confess that my memory isn't that good and I can't really remember
what conditions were like way back in mid January of 2014. I can only
surmize that those were still the golden salad days when ARIN was still
giving out /20s in every box of CracerJack, and to pretty much any legal
entity with a total corporate history in excess of a full 24 hours.
Regardless of that, I sill claim the right to be less than entirely
pleased to know that at that time, ARIN gave the equivalent of an entire
/18 to some public or private actor who was apparently employing a
perfectly legal Delaware front company, where said actor was and is
a resident of an international pariah (Iran) that even the likes of
China and Russia have never been all that terrifically fond of.
Please note also that Mr. Hajyani also appears to be the proprietor of
a separate and older company, "Pandilo, LLC" (AS60274, ORG-PA905-RIPE)
which itself appears to be an Iranian company that once upon a time,
circa 2010, made a abortive half-hearted attempt to incorporate also
in the State of Florida (USA).
Perhaps as direct or indirect results of my reports, either public or
private, regarding the apparent association between Pandilo, LLC and
Dedicated Fiber Communications, LLC, I see now that bgp.he.net is reporting
that as of July 5, 2018, AS60274 is not routing, and has not been routing
any IP space whatsoever, even though it was doing so prior to that very
recent date.
In any case, I do somewhat wonder why Mr. Hajyani is operating these
two different companies, simultaneously, on the Internet, when it
seems that just having one would do just as well, and would probably
be less complicated for him.
But that is not for me to judge.
What does seem clear is that as long as Mr. Hajyani -only- had a
company (Pandilo, LLC) which was -only- incorporated in Iran, he
might perhaps have faced more questions when and if he attempted to
obtain ARIN IPv4 address space, i.e. more than he would if he owned,
say, a Delaware LLC... which he did, it appears, starting in January,
2014.
Case #2)
--------
Secure Internet LLC / Uzair Gadit
NET-104-243-240-0-2 104.243.240.0/24
NET-104-243-241-0-1 104.243.241.0/24
NET-104-243-254-0-1 104.243.254.0/24
NET-104-243-255-0-1 104.243.255.0/24
NET-104-250-160-0-1 104.250.160.0/19
NET-104-250-160-0-2 104.250.160.0/24
NET-104-37-0-0-1 104.37.0.0/21
NET-107-191-38-240-1 107.191.38.240/29
NET-108-177-165-0-1 108.177.165.0/25
NET-142-91-77-128-1 142.91.77.128/25
NET-162-246-184-0-1 162.246.184.0/22
NET-172-111-128-0-1 172.111.128.0/17
NET-172-94-0-0-1 172.94.0.0/17
NET-173-199-120-248-1 173.199.120.248/29
NET-192-253-240-0-1 192.253.240.0/20
NET-192-253-244-0-1 192.253.244.0/24
NET-206-123-128-0-1 206.123.128.0/19
NET-45-74-0-0-1 45.74.0.0/18
NET6-2602-FF84-1 2602:FF84::/36
This company, and specifically the 172.94.0.0/17 block assigned to it,
came to my attention as a result of an investigation of a sizable group
of unambiguous snowshoe spamming domains. A comprehensive scan of the
reverse DNS associated with each and every IPv4 address within this block
exhibited a clear and unmistakable pattern characteristic of a large
scale professional snowshoe spamming operation, at least within a sizable
subset of this block's constituent /24 sub-blocks, as the relevant
reverse DNS (PTR) records that existed as of July 12th of this year
clearly demonstrate:
https://pastebin.com/raw/kZJyJ5x5
(Note that my reports of the issues within this block to a variety of
anti-spam organizations apparently resulted in the rapid discontinuation
of most or all of the relevant snowshoe rDNS shortly thereafter.
Unfortunately for the registrant of, and for the recent users of
172.94.0.0/17, historical records of the applicable rDNS/PTR records
as they existed on July 12th, are quite certainly still available for
public perusal within various passive DNS data bases, and I am confident
that these will verify and confirm my listing, created on the 12th,
as presented at the URL above.)
A company by the name of "Secure Internet, LLC" currently is registered
within the (US) State of Delaware. It is not known, by me at least, and
is not easily determinable, I think, whether or not that currently active
Delaware company has any relationship whatsoever to the Secure Internet
LLC to which ARIN issueed or assigned the set of IPv4 address blocks
listed above. What can be said is that ARIN issued or otherwise assigned
the various IPv4 address blocks listed above to one or more companies
using this exact name (Secure Internet, LLC) and that the relevant ARIN
WHOIS records indicate a number of different mailing addresses, including
mailing addresses in the State of Texas, another in Macau (China), another
in the country of Belize, another in Bejing (China), and another in the State
of New Jersey. Among all of these diverse mailing addresses the one that
appears most frequently in the records is:
Address: 10685-B Hazelhurst Dr. #14783
Address: Houston, TX 77043 USA
City: Houston
StateProv: TX
PostalCode: 77043
This is an anonymous mailbox address. The "#14783" is the specific box
number. I did not even need to google the remaining parts of the address
as they are and were already known to me. That specific mail handling
company/facility is a long-time favorite of innumerable spammers.
There is, at present, -no- company named Secure Internet, LLC which is
legally registered to do business in -either- the State of Texas -or-
the State of New Jersey. I know of no easy way to check corporate
registration status in the other relevant "offshore" jurisdictions.
A majority of the relevant ARIN WHOIS records specifically mention
GADIT3-ARIN and thus, by implication, a gentleman named Uzair Gadit.
This seems to be a rather unique name.
A gentleman having the exact name has a Facebook page where he lists
himself as being a resident of Karachi, Pakistan:
https://www.facebook.com/uzair.gadit
A separate online reference to a gentleman having the exact name indicates
that he may currently reside in Dubai, U.A.E:
https://angel.co/uzair-gadit
Regardless of where the specific "Secure Internet, LLC" to which ARIN has
provided gobs and gobs of valuable IPv4 address is actually headquartered,
and regadless of where the actual "main man" of that organization is
presently residing, I, for one, am not at all happy to see an entire /17
being trashed and wasted on hosting a large scale snowshoe spamming
operation. (And I am apparently not alone in this view.) This is -not-
in any sense an efficient use of such a limited resource, and I suspect that
if the company was to undergo a usage audit today it would fail with flying
colors.
A number of factors add insult to injury in this case:
*) Perhaps due to my own abundant ignorance, I have no understanding
of how this company could have amassed such a plethora of IPv4
blocks... ARIN-issued or otherwise... when it seems to be making
such poor, inefficient, and deplorable use of the ones it's got.
*) It is essentially and absolutely impossible to tell from any of
the relevant WHOIS records, combined with searches of relevant
Secretaries of State web sites, where this company is actually
headquartered. Is it Texas? New Jersey? Delaware? Belize?
U.A.E.? Pakistan? China perhaps?
(An even more interesting question: Is ARIN even allowed to tell me?
Or is even the mere jurisdiction of a registrant contractually a part
of the "confidential customer information" that ARIN agrees never to
disclose to any third party?)
I do quite a bit of this kind of research, and still I can say that
it is rare for me to come across quite such a slippery and ethereal
corporate entity as thi sone. And the ARIN WHOIS records aren't making
it any easier to pin down just where the hell and/or what the hell this
thing actually is. Is it a Delaware LLC? A U.A.E. LLC? Neither? Both?
I can't tell. Nobody can. This is not exactly my definition of "transparency"
and it isn't doing any favors for anybody seeking to find a responsible
party, either to report a case of serious ongoing high-level hacking /
network abuse or even just to helpfully inform the proprietors of the
company in question about some misconfiguration or other issue that they
may want to know about.
*) I openly admit to a certain degree of irrational and unjustifiable
xenophobia with respect to all this. Mike Burns is competely correct
that if I get spammed, it hardly matters what region the relevant
provider got its IP addresses from, and even less what region the
proprietor of that provider happens to currently reside in. But I am
nontheless offended to know that less than admirable actors from other
regions have used and are using what appear to be shell companies which
have then been used to acquire ARIN region resources that are then used
for other than admirable purposes.
Call me old fashioned, but if I'm going to be abused from ARIN-issued
resorces, then I think that the least I can ask is that 100% of the
profts derived therefrom should be going to North American Bad Actors
who can then create jobs and stimulate the economy right here in North
America. I guess you might say that I'm totally down with our Cheeto
in Chief, specifically when it comes to his call to "Buy American".
If I have to endure being spammed from ARIN resources then I at least
want it to be all and only good North American spammers behind it,
rather than all of these darned foreigners.
So, now that I've throughly vented my recent personal frustrations, is any
of this fixable in a generalized sort of way that doesn't break everything
else?
Even if the answer is "no", I'd sill like to know how many people on this
list are willing to sign my petition to build a wall and get RIPE to pay
for it. :-)
Regards,
rfg
More information about the ARIN-PPML
mailing list