Subscribe to RSS News Feed
About Spamhaus  |  Press Office  |  FAQs   
Network Hijacking on the Rise

2016-09-26 15:53:00 UTC, by The Spamhaus Team
Recent News Articles

Network Hijacking on the Rise

Subscription Bombing: COI, CAPTCHA, and the Next Generation of Mail Bombs

More Domain Stats: The 10 Most Abused Registrars

SBL/ZEN DNS lookups to return DROP/eDROP status

Spamhaus Presents: The World's Worst Top Level Domains

Verizon Routing Millions of IP Addresses for Cybercrime Gangs

Brazilian internet users suffer SoftLayer's security fail

Network under attack? You might be surprised where that's coming from!

Older News Articles:
Spamhaus News INDEX

As we discussed in a previous article, allocations of IP addresses (IPv4 addresses) are getting hard to come by, especially for spammers. Because the IP addresses they use quickly get a bad reputation as sources of spam, spammers constantly need fresh IPs that are not yet "burned".

To get around this problem, spammers increasingly now turn to a cheap and plentiful source of IP addresses by hijacking existing IP address ranges from under the noses of the legitimate owners and ARIN.

How is the hijacking accomplished? Let's take a look at one example.

Favourite targets for the hijackers are Legacy IP address ranges. Since these IP address ranges were originally issued prior to ARIN's inception in 1997, they can not be revoked for lack of paying yearly fees, and it's possible for them to lie dormant, sometimes forgotten by the legitimate owners.

In 2012, Spamhaus became aware of spam being sent from one of these legacy IP address ranges,, owned by Chemstress Consultant Company. Looking at the routing history for

We can see that this range has not been used for a while, and has a history of short lived announcements. This isn't looking good for the announcements being legitimate.

So we can then take a look at the WHOIS history from ARIN and GoDaddy and trace the hijacker's exact steps:
  • 1991-07-01 - ARIN record for Chemstress Consultant Company created (definitely a legacy range in 1991)

  • 2011-08-19 - The domain CHEMSTRESSCONSULTING.COM is registered to "Timothy Tausch", the name found from the original ARIN records from 20 years ago (note: the real company's domain is CHEMSTRESS.COM)

  • 2011-12-12 - ARIN is tricked into updating Timothy Tausch's contact information to the email address

  • 2011-12-16 - starts to be announced on behalf of the hijacker

  • 2012-06-10 - The company's address in ARIN is updated to "3465 S. Arlington Rd." (a PO Box store in Akron, Ohio)
Adding up all the evidence, this strongly pointed to this being hijacked. So we contacted the Internet Service Provider (ISP) making the announcement for this range. They informed us that they had already shut things down due to non-payment. It turns out the credit card given by "Tim's" partner in California was no good. The ISP provided us with some emails from the "owner" of this range:

    From: <>
    Date: Mon, 19 Dec 2011 14:51:09 -0800 (PST)
    Subject: Re: Server Co-Location

    I've scanned and attached the contract provided.

    I was able to add the additional 1U server and +$100 pricing to $1,200 per month.

    I will also be faxing this over to the # suggested.

    Tim Tausch

However, the hijacker may have failed to notice that the real Timothy Tausch had unfortunately passed away on January 29, 2010, long before any of the hijacking activity had begun.

The ISP also recorded the IP address used by "Tim" to log in to their customer portal. This IP address was belonging to "Cooplabs, Inc.", a fake ISP in California, controlled by Michael Lindsay. Lindsay is believed by Spamhaus to be responsible for many other network hijackings, and is currently #5 on the Spamhaus Top Ten Worst ROKSO Spammers List.

So it appears that the hijacker has possibly been identified in this case. This hijacking incident was also noted by security researcher Ronald F. Guilmette.

Hijacking incidents are getting worse in recent years as shown by the chart below (a more detailed version available here). This chart shows network BGP announcements of ranges listed in Spamhaus SBL that are believed to be hijacked, and only ranges with "live" SBL listings are included (meaning nobody has stepped up to claim legitimate ownership yet).

The announcements on the left-hand side of the chart are mainly legitimate, but they slowly decrease as more companies become defunct and stop using their IP address ranges. Then, in recent years, these ranges start being hijacked by spammers, at times, announcements of up to 5 million IP addresses.

IP Hijacking Over Time

One way for users to protect their networks from malicious activity associated with these hijacked IP address ranges would be to make use of the free Spamhaus DROP lists.

Sending email through hijacked IP address ranges is of course one of the few criminal provisions of the U.S. CAN-SPAM Act. And hijacking usually involves other serious crimes such as wire fraud, forgery, and identity theft.

Who can help stop these hijackings? ARIN has stated that it must abide by procedures defined via its Policy Development Process, which sometimes can limit ARIN's ability to take action, even when notified of false information being added to its records. It would seem that this activity will continue to be a problem until law enforcement starts to prosecute these criminal hijacking gangs and the spammers they conspire with.

Spamhaus Information

Press Office
Spamhaus News Index
Spamhaus in the media
About Spamhaus
Spamhaus Official Statements
Article Information

Permanent link to this news article:
Network Hijacking on the Rise

Subscribe to RSS News Feed
Spamhaus News Quotes

Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.
© 1998-2016 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy