<div dir="auto">Hi Will,<div dir="auto"><br></div><div dir="auto">This is just the beginning, we are going to see more and more of this cases as IPv4 continues to deplete in our region.</div><div dir="auto"><br></div><div dir="auto">Cheers,</div><div dir="auto">Noah</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 3 Aug 2017 8:13 p.m., "Willy MANGA" <<a href="mailto:mangawilly@gmail.com" target="_blank">mangawilly@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
read it on NANOG list ...<br>
<br>
<a href="http://163.198.0.0/16" rel="noreferrer" target="_blank">163.198.0.0/16</a> block is not the first to be hijacked but at least if<br>
someone know the owner or any solution who can fix it ...<br>
<br>
------------------------------<br>
<br>
Date: Thu, 03 Aug 2017 02:52:43 -0700<br>
From: "Ronald F. Guilmette" <<a href="mailto:rfg@tristatelogic.com">rfg@tristatelogic.com</a>><br>
To: <a href="mailto:nanog@nanog.org">nanog@nanog.org</a><br>
Subject: Multicom Hijacks: Do you peer with these turkeys (AS35916)?<br>
Message-ID: <<a href="mailto:24545.1501753963@segfault.tristatelogic.com">24545.1501753963@segfault.<wbr>tristatelogic.com</a>><br>
<br>
<br>
Well, it took less than a day for my last missive here to get the<br>
hijacks associated with AS202746 (Nexus Webhosting) taken down.<br>
I guess that somebody must have smacked Telia upside the head with<br>
a clue-by-four at long last.<br>
<br>
So, with that out of the way, let's see what else I can accomplish<br>
this week.<br>
<br>
As I understand it, the theory is that the thing that keeps the<br>
entire Internet from descending into the final stages of a totally<br>
broken "tragedy of the commons" is peer pressure. As everyone knows,<br>
there is no "Internet Police", so the whole system relies on the<br>
ability and willingness of networks to de-peer from other networks<br>
when those other networks are demonstratably behaving badly.<br>
<br>
Let's find out if that actually works, in practice, shall we?<br>
<br>
According to <a href="http://bgp.he.net" rel="noreferrer" target="_blank">bgp.he.net</a>, the top three peers of AS35916 (Multacom)<br>
are as follows:<br>
<br>
AS2914 NTT America, Inc.<br>
AS3223 Voxility S.R.L.<br>
AS209 Qwest Communications Company, LLC<br>
<br>
I'd like help from any and all subscribers to this mailing list who<br>
might have contacts in these companies. I'd like you to call their<br>
attention to Multacom's routing of the following block specifically:<br>
<br>
<a href="http://163.198.0.0/16" rel="noreferrer" target="_blank">163.198.0.0/16</a><br>
<br>
This is a long-abandoned Afrinic block belonging to a semi-defunct<br>
company called "Agrihold". In fact, this block was a part of the<br>
massive number of hijacked legacy Afrinic /16 blocks that I pointed<br>
out, right here on this maling list, way back last November:<br>
<br>
<a href="https://mailman.nanog.org/pipermail/nanog/2016-November/089164.html" rel="noreferrer" target="_blank">https://mailman.nanog.org/<wbr>pipermail/nanog/2016-November/<wbr>089164.html</a><br>
<br>
After that posting, whoever was responsible for all those blatant<br>
hijackings got cold feet, apparently, and stopped passing all of those<br>
bogus route announcements out through their pals at AS260, Xconnect24 Inc.<br>
<br>
And so, for a brief time at least, the wanton pillaging of legacy Afrinic<br>
/16 blocks, and the reselling of those stolen blocks to various snowshoe<br>
spammers stopped... for awhile.<br>
<br>
But it appears that on or about January 6th of this year, Mulutacom<br>
lept into the breach and re-hijacked both the <a href="http://163.198.0.0/16" rel="noreferrer" target="_blank">163.198.0.0/16</a> block<br>
and also the additional Afrinic legacy block, <a href="http://160.115.0.0/16" rel="noreferrer" target="_blank">160.115.0.0/16</a>. (They<br>
apparently stopped routing this latter block some time ago, for reasons<br>
unknown. But that fact that Multacom was indeed routing this second<br>
purloined legacy Afrinic /16 block also is in the historical records<br>
now, and cannot be denied. Multicom's routing of both blocks began<br>
around January 6th or so of this year, 2017.)<br>
<br>
Just as a courtesy, I sent the block absconders at Multacom a short email,<br>
earlier today, asking them if they had an LOA which demonstrates that<br>
they have rights/permission to be routing the <a href="http://163.198.0.0/16" rel="noreferrer" target="_blank">163.198.0.0/16</a> block. Of<br>
course, the mystery person (noc@) who emailed me back claimed that they<br>
did, but unfortunately, he was not under oath at the time. I asked<br>
if he could show me a copy of this purported LOA, and I haven't heard<br>
back from anybody at Mulatcom ever since.<br>
<br>
I don't really think there is any big mystery here, nor do I think<br>
that Multacom has or had, at any time, any rights to be routing these<br>
two legacy Afrinic /16 blocks. But they have done so, and continue<br>
to do so, in the case of the <a href="http://163.198.0.0/16" rel="noreferrer" target="_blank">163.198.0.0/16</a> block at least, quite<br>
obviously because -somebody- is paying them to do it, even in the total<br>
absence of a legitimate LOA.<br>
<br>
And as it turns out, it is quite easy to figure out who Multacom has<br>
been routing these two hijacked legacy Afrinic /16 blocks both for and<br>
to.<br>
<br>
It's trivially easy to run a traceroute to any arbitrary IP address<br>
within the <a href="http://163.198.0.0/16" rel="noreferrer" target="_blank">163.198.0.0/16</a> block. No matter which one you pick, the<br>
traceroute always passes through a particular IP address, 178.250.191.162,<br>
before the remainder of the traceroute gets deliberately blocked.<br>
<br>
That IP address is registered *not* to some long lost African concern, but<br>
rather to a Romanian networking company called Architecture Iq Data S.R.L.<br>
<br>
That company itself is apparently owned by a fellow by the name of<br>
Alexandru ("Andrei") Stanciu who hails from the city of Suceava, Romania.<br>
(Note that this is apparently *not* the same Alexandru Stanciu who the FBI<br>
arrested on bank and wire fraud charges in 2014. That one apparently hailed<br>
from Bucharest.)<br>
<br>
Anyway, "networking" seems to be only one of our Mr. Stanciu's many and<br>
varied business interest. His networking company, Architecture Iq Data<br>
S.R.L. has a web site (<a href="http://architekiq.ro/" rel="noreferrer" target="_blank">http://architekiq.ro/</a>) but it is "shallow" to<br>
say the least. Many, and perhaps evenmost of the links on the home page<br>
of that company's web site seem to lead nowhere.<br>
<br>
In cotrast, Mr. Stanciu has the following other well-developed web sites<br>
and companies:<br>
<br>
<a href="http://ads.com.ro" rel="noreferrer" target="_blank">ads.com.ro</a><br>
<a href="http://promoart.ro" rel="noreferrer" target="_blank">promoart.ro</a><br>
<a href="http://largeformatprinting.ro" rel="noreferrer" target="_blank">largeformatprinting.ro</a><br>
Promoart S.R.L.<br>
Advertising Distribution Supplies S.R.L.<br>
<br>
Mostly, he seems to be in the advertising business, as evidenced by the<br>
above web sites, and also by his membership in the "Email Marketing Gurus"<br>
special interest group over on LinkedIn:<br>
<br>
<a href="https://ro.linkedin.com/in/alexandru-stanciu-8846aa12a" rel="noreferrer" target="_blank">https://ro.linkedin.com/in/<wbr>alexandru-stanciu-8846aa12a</a><br>
<br>
Given Mr. Stanciu's apparent professonal interests, it is not really all<br>
that<br>
surprising that the two hijacked legacy Afrinic /16 blocks that Multacom<br>
has been kind enough to route... both for him and to him... do in fact seem<br>
to be associated with numerous domain names that obviously consist of<br>
just two random dictionary words smashed together, followed by either .com<br>
or .net. This exact motif is quite commonly used by and among many of<br>
the Internet's most prolific snowshoe spammers.<br>
<br>
And of course, Mr. Stanciu's snowshoe spamming domains would not be<br>
maximally productive unless they each had SPF TXT records attached...<br>
ones that would pass muster with the recipients of Mr. Stanciu's spams.<br>
Those SPF TXT records are listed here, along the relevant domain names:<br>
<br>
<a href="https://pastebin.com/raw/BbK2YGe6" rel="noreferrer" target="_blank">https://pastebin.com/raw/<wbr>BbK2YGe6</a><br>
<br>
(Whenever possible snowshoe spammers also like to be able to send out<br>
their spams from from IP addresses where they have already set up nicely<br>
mattching reverse DNS, because a lot of recipient mail servers these<br>
days just won't accept inbound email anymore from no-reverse-dns IP<br>
addreses. But unfortunately for Mr. Stanciu, and for Multacom, the fact<br>
that they both just sort of walked off with the <a href="http://163.198.0.0/16" rel="noreferrer" target="_blank">163.198.0.0/16</a> block<br>
means that although they can -route- that space, they can't get the<br>
authority to control the reverse DNS for this block delegated to them.<br>
In order to do that, they'd have to get permission to do reverse DNS for<br>
the block FROM THE REAL AND LEGITIMATE BLOCK OWNER. And since that ain't<br>
them, nor even anybody who even knows what these clever fellows are up<br>
to, they can't. So Mr. Stanciu is stuck sending out his spams in a<br>
sub-optimal way, without either matching reverse DNS or even *any*<br>
reverse DNS for the entire /16 block he's stolen. Sorry Mr. Stanciu!<br>
Sorry Multacom!)<br>
<br>
As anybody who understand this stuff will by now be utterly convinced, the<br>
legacy Afrinic address block, <a href="http://163.198.0.0/16" rel="noreferrer" target="_blank">163.198.0.0/16</a>, has been hijacked, stolen,<br>
or whatever you prefer to call it, by Mr. Alexandru ("Andrei") Stanciu of<br>
Suceava, Romania, specifically for "snowshode" spamming purposes, and with<br>
the significant help and assistance of AS35916, aka Multacom Corporation<br>
of 16654 Soledad Canyon Rd #150, Canyon Country, Calfornia, 91387, which<br>
is actually the entity announcing the routes to this clearly illicitly<br>
"liberated" IP block.<br>
<br>
So now, would one or more of you kind folks on this list who are more<br>
fortunate than me, and who have connections please be so kind as to<br>
let the following entities know about what Multacom is acctually up to<br>
here?<br>
<br>
AS2914 NTT America, Inc.<br>
AS3223 Voxility S.R.L.<br>
AS209 Qwest Communications Company, LLC<br>
<br>
Maybe they won't care, but they should. Maybe we can find out if the<br>
notion of peer pressure... or perhaps even de-peer pressure... works<br>
as well in practice as it allegedly does in theory.<br>
<br>
Thanks for listening.<br>
<br>
<br>
Regards,<br>
rfg<br>
<br>
______________________________<wbr>_________________<br>
afnog mailing list<br>
<a href="https://www.afnog.org/mailman/listinfo/afnog" rel="noreferrer" target="_blank">https://www.afnog.org/mailman/<wbr>listinfo/afnog</a><br>
</blockquote></div></div>