Dutch ISP Attempts False Police Report

If The Netherlands has penalties for filing false reports and wasting police time, Dutch ISP 'A2B Internet' will be looking at a hefty fine. The owner of the small Dutch transit ISP claimed on Tuesday 11 Oct to have filed a report with local police in the Dutch region of Zaanstreek-Waterland accusing Spamhaus of "extortion" and carrying out a "DoS attack" on his network. Spamhaus had flagged A2B Internet BV as a 'dirty ISP' which was knowingly selling internet connectivity to spam and crime outfits, and had listed one of A2B Internet's IP ranges on the Spamhaus Block List ("SBL") for persistently selling internet connectivity to spam and crime outfits.

The SBL Advisory is a database of IP addresses used by almost three-quarters of Internet networks to filter incoming email traffic. Spamhaus places on the SBL IP addresses which do not meet its published policies and therefore from which Spamhaus does not recommend the acceptance of electronic mail. The SBL lists 4 categories of abuse: spam sources, spam hosts, spam services and spam support services.

Per Spamhaus policy, on October 6th, after notifying A2B several times since June without results, an SBL listing which A2B had been ignoring was escalated to the SBL's "providing a spam support service" category and increased to include one of A2B's IP ranges. The escalated SBL record SBL112638 listed 178.249.152.0/21 for providing routing "knowingly and for profit" to a rogue host known as "CB3ROB" or "Cyberbunker", an outfit which Spamhaus has long seen involved in hosting cybercrime and spam outfits. SBL listings of CB3ROB had been mounting steadily during 2011 for hosting malware, phishing and websites selling fraudulent goods advertised via spam. CB3ROB had announced that it would not terminate customers due to spam listings - an announcement which sent a golden invitation to even more spam and crime customers to the point where all of CB3ROB was placed on the Spamhaus DROP ("Don't Route Or Peer") list at the beginning of October.

(If the name sounds familiar, it is: CB3ROB A/K/A "CyberBunker" has a long history of run-ins with the law. It was also a host of the infamous "Russian Business Network" cyber-crime gang broken up by the FBI and other law enforcement agencies)

Until Spamhaus finally escalated the SBL listing on October 6th, A2B Internet was also providing connectivity to a Chinese-based rogue host, idear4business.net, a "bullet-proof spam hosting provider" whose business also extended to selling counterfeit watches advertised via spam. Asked to cease providing service to the idear4business spam hosting outfit in June 2011, A2B Internet refused. A2B's Erik Bais told Spamhaus "IDEAR4BUSINESS is partly owned by the Chinese government. Under Chinese law, selling replicas isn't against the law". Mr Bias suggested to Spamhaus "there is always the option open for you to request a court order for a take-down under German law based on copyright infringement and/or trademark violation. CB3ROB as their initial transit provider is a German based company".

(Spamhaus notes that in fact there is evidence that CB3ROB is actually run from The Netherlands and merely pretends to be German, perhaps to avoid interest from the Dutch authorities)

After Spamhaus listed one of A2B Internet's IP ranges on the SBL on October 6th, A2B replied the next day that they had ceased providing transit to the spam and malware sites at CB3ROB. Spamhaus thanked A2B and removed the SBL listing.

Two days later, almost certainly prompted by his CB3ROB customer, A2B's Erik Bais decided to try a ploy to circumvent further SBL listings for hosting rogue customers by filing a police report falsely claiming that Spamhaus had conducted a "DoS Attack" on A2B's network, had tried to "extort" A2B, and that the SBLs listing policies are "illegal" in The Netherlands. Mr Bais then emailed Spamhaus saying "If Spamhaus would limit (future SBL) listings to only the offending IPs" we would avoid "further escalation" from him.

Spamhaus director Steve Linford responded to Bais's email saying: "Spamhaus SBL policies are very clear, have been unchanged for over 10 years and have always included a policy of escalation where the upstream is 'knowingly involved' (or 'tacitly involved') in keeping an abuse source connected to abuse Spamhaus's users. Spamhaus has a duty to protect SBL users from abuse and abusive networks. If you want your network to enjoy sending communications to Spamhaus SBL users, you must ensure your network respects our policies on spam/abuse."

Often those engaged in profiting from abuse believe that getting around an SBL listing is a simple matter of threatening Spamhaus or its staff. Spreading false stories online or to the press and making fake legal threats are common. Filing a false police report however should ensure that A2B Internet now receives the attention it merits into its dealings with the spam and cybercrime outfits it has been selling transit to.

With no irony lost, this week senior staff from Spamhaus and the Dutch high-tech crime-unit tasked to investigate the very criminal activity CB3ROB hosts and A2B Internet routed, were meeting together at an anti-cybercrime conference. CB3ROB, A2B Internet and the phishing, malware and counterfeit goods outfits both were tacitly servicing were discussed and Spamhaus handed its files on CB3ROB and A2B Internet to the Dutch NHTCU's investigator.

A2B Internet's false tale of being "extorted" and hit with a "DoS attack" was a fib spun by an ISP whose financial interests seem to have rested with the rogue spam and cybercrime host he was selling transit to.

Further information

Although now no longer connected via A2B Internet, CB3ROB A/K/A "CyberBunker" is currently still on line - as are the spam and malware issues it was listed for. All IP space belonging to CB3ROB has been listed on the SBL for some time and is also on the Spamhaus DROP List. Spamhaus strongly advises networks who are not using SBL or DROP to take precautions to safeguard their users from CB3ROB IP space. Until either CB3ROB seriously cleans up their hosting or is closed down because of it, we advise that all data packets going to or from CB3ROB be regarded with extreme caution.

Very few networks are willing to connect rogue hosts such as CB3ROB to the internet. Transit providers profiting from selling transit to CB3ROB included Ecatel.net, Grafix.nl, datahouse.nl and a2b-internet.com. The owner of a2b-internet.com, Erik Bais, is also the NOC manager for Grafix.nl, and is also the NOC manager for datahouse.nl - which underlines that three of the companies linked to CB3ROB have more than just some links in common.

Spamhaus SBL Listing Policy

Spamhaus SBL Listing Policy is published at

http://www.spamhaus.org/sbl/policy.html

SBL Listing Policy clause "Spam Support Services" states:

"Spam Support Services - Services providing service to known spam operations listed on ROKSO, services providing 'bullet-proof hosting' for spam service purposes, services obfuscating or anonymising spam senders, services selling or providing hosting for the sales or distribution of spamware or address lists, and networks knowingly hosting spammers has either stated or de facto policy."

3rd Party corroboration of CB3ROB phish/scam/malware

http://www.malwareurl.com/listing.php?as=AS34109&active=on

http://www.phishtank.com/phish_detail.php?phish_id=1138465&frame=details