|Tweet Follow @spamhaus||
Network Hijacking on the Rise
Subscription Bombing: COI, CAPTCHA, and the Next Generation of Mail Bombs
More Domain Stats: The 10 Most Abused Registrars
SBL/ZEN DNS lookups to return DROP/eDROP status
Spamhaus Presents: The World's Worst Top Level Domains
Verizon Routing Millions of IP Addresses for Cybercrime Gangs
Brazilian internet users suffer SoftLayer's security fail
Network under attack? You might be surprised where that's coming from!
Older News Articles:
Spamhaus News INDEX
|As we discussed in a previous article, allocations of IP addresses (IPv4 addresses) are getting hard to come by, especially for spammers. Because the IP addresses they use quickly get a bad reputation as sources of spam, spammers constantly need fresh IPs that are not yet "burned".
To get around this problem, spammers increasingly now turn to a cheap and plentiful source of IP addresses by hijacking existing IP address ranges from under the noses of the legitimate owners and ARIN.
How is the hijacking accomplished? Let's take a look at one example.
Favourite targets for the hijackers are Legacy IP address ranges. Since these IP address ranges were originally issued prior to ARIN's inception in 1997, they can not be revoked for lack of paying yearly fees, and it's possible for them to lie dormant, sometimes forgotten by the legitimate owners.
In 2012, Spamhaus became aware of spam being sent from one of these legacy IP address ranges, 188.8.131.52/16, owned by Chemstress Consultant Company. Looking at the routing history for 184.108.40.206/16:
We can see that this range has not been used for a while, and has a history of short lived announcements. This isn't looking good for the announcements being legitimate.
So we can then take a look at the WHOIS history from ARIN and GoDaddy and trace the hijacker's exact steps:
From: <firstname.lastname@example.org> Date: Mon, 19 Dec 2011 14:51:09 -0800 (PST) Subject: Re: Server Co-Location I've scanned and attached the contract provided. I was able to add the additional 1U server and +$100 pricing to $1,200 per month. I will also be faxing this over to the # suggested. Cheers! Tim Tausch ChemstressConsulting.com 330-671-3025
However, the hijacker may have failed to notice that the real Timothy Tausch had unfortunately passed away on January 29, 2010, long before any of the hijacking activity had begun.
The ISP also recorded the IP address used by "Tim" to log in to their customer portal. This IP address was 220.127.116.11 belonging to "Cooplabs, Inc.", a fake ISP in California, controlled by Michael Lindsay. Lindsay is believed by Spamhaus to be responsible for many other network hijackings, and is currently #5 on the Spamhaus Top Ten Worst ROKSO Spammers List.
So it appears that the hijacker has possibly been identified in this case. This 18.104.22.168/16 hijacking incident was also noted by security researcher Ronald F. Guilmette.
Hijacking incidents are getting worse in recent years as shown by the chart below (a more detailed version available here). This chart shows network BGP announcements of ranges listed in Spamhaus SBL that are believed to be hijacked, and only ranges with "live" SBL listings are included (meaning nobody has stepped up to claim legitimate ownership yet).
The announcements on the left-hand side of the chart are mainly legitimate, but they slowly decrease as more companies become defunct and stop using their IP address ranges. Then, in recent years, these ranges start being hijacked by spammers, at times, announcements of up to 5 million IP addresses.
One way for users to protect their networks from malicious activity associated with these hijacked IP address ranges would be to make use of the free Spamhaus DROP lists.
Sending email through hijacked IP address ranges is of course one of the few criminal provisions of the U.S. CAN-SPAM Act. And hijacking usually involves other serious crimes such as wire fraud, forgery, and identity theft.
Who can help stop these hijackings? ARIN has stated that it must abide by procedures defined via its Policy Development Process, which sometimes can limit ARIN's ability to take action, even when notified of false information being added to its records. It would seem that this activity will continue to be a problem until law enforcement starts to prosecute these criminal hijacking gangs and the spammers they conspire with.
Spamhaus News Index
Spamhaus in the media
Spamhaus Official Statements
Permanent link to this news article:
Network Hijacking on the Rise
Subscribe to RSS News Feed
Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.