[afnog] AS35916 and 163.198.0.0/16 AFRINIC block

Noah noah at neo.co.tz
Fri Aug 4 03:59:06 UTC 2017 

Hi Will,

This is just the beginning, we are going to see more and more of this cases
as IPv4 continues to deplete in our region.

Cheers,
Noah

On 3 Aug 2017 8:13 p.m., "Willy MANGA" <mangawilly at gmail.com> wrote:

> Hi,
> read it on NANOG list ...
>
> 163.198.0.0/16 block is not the first to be hijacked but at least if
> someone know the owner or any solution who can fix it ...
>
> ------------------------------
>
> Date: Thu, 03 Aug 2017 02:52:43 -0700
> From: "Ronald F. Guilmette" <rfg at tristatelogic.com>
> To: nanog at nanog.org
> Subject: Multicom Hijacks:  Do you peer with these turkeys (AS35916)?
> Message-ID: <24545.1501753963 at segfault.tristatelogic.com>
>
>
> Well, it took less than a day for my last missive here to get the
> hijacks associated with AS202746 (Nexus Webhosting) taken down.
> I guess that somebody must have smacked Telia upside the head with
> a clue-by-four at long last.
>
> So, with that out of the way, let's see what else I can accomplish
> this week.
>
> As I understand it, the theory is that the thing that keeps the
> entire Internet from descending into the final stages of a totally
> broken "tragedy of the commons" is peer pressure.  As everyone knows,
> there is no "Internet Police", so the whole system relies on the
> ability and willingness of networks to de-peer from other networks
> when those other networks are demonstratably behaving badly.
>
> Let's find out if that actually works, in practice, shall we?
>
> According to bgp.he.net, the top three peers of AS35916 (Multacom)
> are as follows:
>
>     AS2914      NTT America, Inc.
>     AS3223      Voxility S.R.L.
>     AS209       Qwest Communications Company, LLC
>
> I'd like help from any and all subscribers to this mailing list who
> might have contacts in these companies.  I'd like you to call their
> attention to Multacom's routing of the following block specifically:
>
>     163.198.0.0/16
>
> This is a long-abandoned Afrinic block belonging to a semi-defunct
> company called "Agrihold".  In fact, this block was a part of the
> massive number of hijacked legacy Afrinic /16 blocks that I pointed
> out, right here on this maling list, way back last November:
>
>    https://mailman.nanog.org/pipermail/nanog/2016-November/089164.html
>
> After that posting, whoever was responsible for all those blatant
> hijackings got cold feet, apparently, and stopped passing all of those
> bogus route announcements out through their pals at AS260, Xconnect24 Inc.
>
> And so, for a brief time at least, the wanton pillaging of legacy Afrinic
> /16 blocks, and the reselling of those stolen blocks to various snowshoe
> spammers stopped... for awhile.
>
> But it appears that on or about January 6th of this year, Mulutacom
> lept into the breach and re-hijacked both the 163.198.0.0/16 block
> and also the additional Afrinic legacy block, 160.115.0.0/16.  (They
> apparently stopped routing this latter block some time ago, for reasons
> unknown.  But that fact that Multacom was indeed routing this second
> purloined legacy Afrinic /16 block also is in the historical records
> now, and cannot be denied.  Multicom's routing of both blocks began
> around January 6th or so of this year, 2017.)
>
> Just as a courtesy, I sent the block absconders at Multacom a short email,
> earlier today, asking them if they had an LOA which demonstrates that
> they have rights/permission to be routing the 163.198.0.0/16 block.  Of
> course, the mystery person (noc@) who emailed me back claimed that they
> did, but unfortunately, he was not under oath at the time.  I asked
> if he could show me a copy of this purported LOA, and I haven't heard
> back from anybody at Mulatcom ever since.
>
> I don't really think there is any big mystery here, nor do I think
> that Multacom has or had, at any time, any rights to be routing these
> two legacy Afrinic /16 blocks.  But they have done so, and continue
> to do so, in the case of the 163.198.0.0/16 block at least, quite
> obviously because -somebody- is paying them to do it, even in the total
> absence of a legitimate LOA.
>
> And as it turns out, it is quite easy to figure out who Multacom has
> been routing these two hijacked legacy Afrinic /16 blocks both for and
> to.
>
> It's trivially easy to run a traceroute to any arbitrary IP address
> within the 163.198.0.0/16 block.  No matter which one you pick, the
> traceroute always passes through a particular IP address, 178.250.191.162,
> before the remainder of the traceroute gets deliberately blocked.
>
> That IP address is registered *not* to some long lost African concern, but
> rather to a Romanian networking company called Architecture Iq Data S.R.L.
>
> That company itself is apparently owned by a fellow by the name of
> Alexandru ("Andrei") Stanciu who hails from the city of Suceava, Romania.
> (Note that this is apparently *not* the same Alexandru Stanciu who the FBI
> arrested on bank and wire fraud charges in 2014.  That one apparently
> hailed
> from Bucharest.)
>
> Anyway, "networking" seems to be only one of our Mr. Stanciu's many and
> varied business interest.  His networking company, Architecture Iq Data
> S.R.L. has a web site (http://architekiq.ro/) but it is "shallow" to
> say the least.  Many, and perhaps evenmost of the links on the home page
> of that company's web site seem to lead nowhere.
>
> In cotrast, Mr. Stanciu has the following other well-developed web sites
> and companies:
>
>     ads.com.ro
>     promoart.ro
>     largeformatprinting.ro
>         Promoart S.R.L.
>     Advertising Distribution Supplies S.R.L.
>
> Mostly, he seems to be in the advertising business, as evidenced by the
> above web sites, and also by his membership in the "Email Marketing Gurus"
> special interest group over on LinkedIn:
>
>      https://ro.linkedin.com/in/alexandru-stanciu-8846aa12a
>
> Given Mr. Stanciu's apparent professonal interests, it is not really all
> that
> surprising that the two hijacked legacy Afrinic /16 blocks that Multacom
> has been kind enough to route... both for him and to him... do in fact seem
> to be associated with numerous domain names that obviously consist of
> just two random dictionary words smashed together, followed by either .com
> or .net.  This exact motif is quite commonly used by and among many of
> the Internet's most prolific snowshoe spammers.
>
> And of course, Mr. Stanciu's snowshoe spamming domains would not be
> maximally productive unless they each had SPF TXT records attached...
> ones that would pass muster with the recipients of Mr. Stanciu's spams.
> Those SPF TXT records are listed here, along the relevant domain names:
>
>      https://pastebin.com/raw/BbK2YGe6
>
> (Whenever possible snowshoe spammers also like to be able to send out
> their spams from from IP addresses where they have already set up nicely
> mattching reverse DNS, because a lot of recipient mail servers these
> days just won't accept inbound email anymore from no-reverse-dns IP
> addreses.  But unfortunately for Mr. Stanciu, and for Multacom, the fact
> that they both just sort of walked off with the 163.198.0.0/16 block
> means that although they can -route- that space, they can't get the
> authority to control the reverse DNS for this block delegated to them.
> In order to do that, they'd have to get permission to do reverse DNS for
> the block FROM THE REAL AND LEGITIMATE BLOCK OWNER.  And since that ain't
> them, nor even anybody who even knows what these clever fellows are up
> to, they can't.  So Mr. Stanciu is stuck sending out his spams in a
> sub-optimal way, without either matching reverse DNS or even *any*
> reverse DNS for the entire /16 block he's stolen.  Sorry Mr. Stanciu!
> Sorry Multacom!)
>
> As anybody who understand this stuff will by now be utterly convinced, the
> legacy Afrinic address block, 163.198.0.0/16, has been hijacked, stolen,
> or whatever you prefer to call it, by Mr. Alexandru ("Andrei") Stanciu of
> Suceava, Romania, specifically for "snowshode" spamming purposes, and with
> the significant help and assistance of AS35916, aka Multacom Corporation
> of 16654 Soledad Canyon Rd #150, Canyon Country, Calfornia, 91387, which
> is actually the entity announcing the routes to this clearly illicitly
> "liberated" IP block.
>
> So now, would one or more of you kind folks on this list who are more
> fortunate than me, and who have connections please be so kind as to
> let the following entities know about what Multacom is acctually up to
> here?
>
>     AS2914  NTT America, Inc.
>     AS3223  Voxility S.R.L.
>     AS209   Qwest Communications Company, LLC
>
> Maybe they won't care, but they should.  Maybe we can find out if the
> notion of peer pressure... or perhaps even de-peer pressure... works
> as well in practice as it allegedly does in theory.
>
> Thanks for listening.
>
>
> Regards,
> rfg
>
> _______________________________________________
> afnog mailing list
> https://www.afnog.org/mailman/listinfo/afnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.afnog.org/pipermail/afnog/attachments/20170804/c1d2d4fa/attachment-0001.html>

More information about the afnog mailing list