<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="background-color: rgb(255, 255, 255); color: rgb(0, 0,
0); font-family: Tahoma; font-size: 16px;" text="#000000"
bgcolor="#FFFFFF">
All the more reason for service providers in Africa (and around the
world) to be vigilant and deliberate in how they accept routes from
customers.<br>
<br>
Mark.<br>
<br>
<div class="moz-cite-prefix">On 4/Aug/17 05:59, Noah wrote:<br>
</div>
<blockquote type="cite"
cite="mid:20170804040851.79C853087F6A_983F353B@mx1.seacom.mu"
style="border-left: 2px solid #009900 !important; border-right:
2px solid #009900 !important; padding: 0px 15px 0px 15px; margin:
8px 2px; background-color: null !important; color: null
!important;">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div dir="auto">Hi Will,
<div dir="auto"><br>
</div>
<div dir="auto">This is just the beginning, we are going to see
more and more of this cases as IPv4 continues to deplete in
our region.</div>
<div dir="auto"><br>
</div>
<div dir="auto">Cheers,</div>
<div dir="auto">Noah</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 3 Aug 2017 8:13 p.m., "Willy MANGA"
<<a href="mailto:mangawilly@gmail.com" target="_blank"
moz-do-not-send="true">mangawilly@gmail.com</a>> wrote:<br
type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
read it on NANOG list ...<br>
<br>
<a href="http://163.198.0.0/16" rel="noreferrer"
target="_blank" moz-do-not-send="true">163.198.0.0/16</a>
block is not the first to be hijacked but at least if<br>
someone know the owner or any solution who can fix it ...<br>
<br>
------------------------------<br>
<br>
Date: Thu, 03 Aug 2017 02:52:43 -0700<br>
From: "Ronald F. Guilmette" <<a
href="mailto:rfg@tristatelogic.com" moz-do-not-send="true">rfg@tristatelogic.com</a>><br>
To: <a href="mailto:nanog@nanog.org" moz-do-not-send="true">nanog@nanog.org</a><br>
Subject: Multicom Hijacks: Do you peer with these turkeys
(AS35916)?<br>
Message-ID: <<a
href="mailto:24545.1501753963@segfault.tristatelogic.com"
moz-do-not-send="true">24545.1501753963@segfault.<wbr>tristatelogic.com</a>><br>
<br>
<br>
Well, it took less than a day for my last missive here to
get the<br>
hijacks associated with AS202746 (Nexus Webhosting) taken
down.<br>
I guess that somebody must have smacked Telia upside the
head with<br>
a clue-by-four at long last.<br>
<br>
So, with that out of the way, let's see what else I can
accomplish<br>
this week.<br>
<br>
As I understand it, the theory is that the thing that keeps
the<br>
entire Internet from descending into the final stages of a
totally<br>
broken "tragedy of the commons" is peer pressure. As
everyone knows,<br>
there is no "Internet Police", so the whole system relies on
the<br>
ability and willingness of networks to de-peer from other
networks<br>
when those other networks are demonstratably behaving badly.<br>
<br>
Let's find out if that actually works, in practice, shall
we?<br>
<br>
According to <a href="http://bgp.he.net" rel="noreferrer"
target="_blank" moz-do-not-send="true">bgp.he.net</a>, the
top three peers of AS35916 (Multacom)<br>
are as follows:<br>
<br>
AS2914 NTT America, Inc.<br>
AS3223 Voxility S.R.L.<br>
AS209 Qwest Communications Company, LLC<br>
<br>
I'd like help from any and all subscribers to this mailing
list who<br>
might have contacts in these companies. I'd like you to
call their<br>
attention to Multacom's routing of the following block
specifically:<br>
<br>
<a href="http://163.198.0.0/16" rel="noreferrer"
target="_blank" moz-do-not-send="true">163.198.0.0/16</a><br>
<br>
This is a long-abandoned Afrinic block belonging to a
semi-defunct<br>
company called "Agrihold". In fact, this block was a part
of the<br>
massive number of hijacked legacy Afrinic /16 blocks that I
pointed<br>
out, right here on this maling list, way back last November:<br>
<br>
<a
href="https://mailman.nanog.org/pipermail/nanog/2016-November/089164.html"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://mailman.nanog.org/<wbr>pipermail/nanog/2016-November/<wbr>089164.html</a><br>
<br>
After that posting, whoever was responsible for all those
blatant<br>
hijackings got cold feet, apparently, and stopped passing
all of those<br>
bogus route announcements out through their pals at AS260,
Xconnect24 Inc.<br>
<br>
And so, for a brief time at least, the wanton pillaging of
legacy Afrinic<br>
/16 blocks, and the reselling of those stolen blocks to
various snowshoe<br>
spammers stopped... for awhile.<br>
<br>
But it appears that on or about January 6th of this year,
Mulutacom<br>
lept into the breach and re-hijacked both the <a
href="http://163.198.0.0/16" rel="noreferrer"
target="_blank" moz-do-not-send="true">163.198.0.0/16</a>
block<br>
and also the additional Afrinic legacy block, <a
href="http://160.115.0.0/16" rel="noreferrer"
target="_blank" moz-do-not-send="true">160.115.0.0/16</a>.
(They<br>
apparently stopped routing this latter block some time ago,
for reasons<br>
unknown. But that fact that Multacom was indeed routing
this second<br>
purloined legacy Afrinic /16 block also is in the historical
records<br>
now, and cannot be denied. Multicom's routing of both
blocks began<br>
around January 6th or so of this year, 2017.)<br>
<br>
Just as a courtesy, I sent the block absconders at Multacom
a short email,<br>
earlier today, asking them if they had an LOA which
demonstrates that<br>
they have rights/permission to be routing the <a
href="http://163.198.0.0/16" rel="noreferrer"
target="_blank" moz-do-not-send="true">163.198.0.0/16</a>
block. Of<br>
course, the mystery person (noc@) who emailed me back
claimed that they<br>
did, but unfortunately, he was not under oath at the time.
I asked<br>
if he could show me a copy of this purported LOA, and I
haven't heard<br>
back from anybody at Mulatcom ever since.<br>
<br>
I don't really think there is any big mystery here, nor do I
think<br>
that Multacom has or had, at any time, any rights to be
routing these<br>
two legacy Afrinic /16 blocks. But they have done so, and
continue<br>
to do so, in the case of the <a
href="http://163.198.0.0/16" rel="noreferrer"
target="_blank" moz-do-not-send="true">163.198.0.0/16</a>
block at least, quite<br>
obviously because -somebody- is paying them to do it, even
in the total<br>
absence of a legitimate LOA.<br>
<br>
And as it turns out, it is quite easy to figure out who
Multacom has<br>
been routing these two hijacked legacy Afrinic /16 blocks
both for and<br>
to.<br>
<br>
It's trivially easy to run a traceroute to any arbitrary IP
address<br>
within the <a href="http://163.198.0.0/16" rel="noreferrer"
target="_blank" moz-do-not-send="true">163.198.0.0/16</a>
block. No matter which one you pick, the<br>
traceroute always passes through a particular IP address,
178.250.191.162,<br>
before the remainder of the traceroute gets deliberately
blocked.<br>
<br>
That IP address is registered *not* to some long lost
African concern, but<br>
rather to a Romanian networking company called Architecture
Iq Data S.R.L.<br>
<br>
That company itself is apparently owned by a fellow by the
name of<br>
Alexandru ("Andrei") Stanciu who hails from the city of
Suceava, Romania.<br>
(Note that this is apparently *not* the same Alexandru
Stanciu who the FBI<br>
arrested on bank and wire fraud charges in 2014. That one
apparently hailed<br>
from Bucharest.)<br>
<br>
Anyway, "networking" seems to be only one of our Mr.
Stanciu's many and<br>
varied business interest. His networking company,
Architecture Iq Data<br>
S.R.L. has a web site (<a href="http://architekiq.ro/"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://architekiq.ro/</a>)
but it is "shallow" to<br>
say the least. Many, and perhaps evenmost of the links on
the home page<br>
of that company's web site seem to lead nowhere.<br>
<br>
In cotrast, Mr. Stanciu has the following other
well-developed web sites<br>
and companies:<br>
<br>
<a href="http://ads.com.ro" rel="noreferrer"
target="_blank" moz-do-not-send="true">ads.com.ro</a><br>
<a href="http://promoart.ro" rel="noreferrer"
target="_blank" moz-do-not-send="true">promoart.ro</a><br>
<a href="http://largeformatprinting.ro"
rel="noreferrer" target="_blank" moz-do-not-send="true">largeformatprinting.ro</a><br>
Promoart S.R.L.<br>
Advertising Distribution Supplies S.R.L.<br>
<br>
Mostly, he seems to be in the advertising business, as
evidenced by the<br>
above web sites, and also by his membership in the "Email
Marketing Gurus"<br>
special interest group over on LinkedIn:<br>
<br>
<a
href="https://ro.linkedin.com/in/alexandru-stanciu-8846aa12a"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://ro.linkedin.com/in/<wbr>alexandru-stanciu-8846aa12a</a><br>
<br>
Given Mr. Stanciu's apparent professonal interests, it is
not really all<br>
that<br>
surprising that the two hijacked legacy Afrinic /16 blocks
that Multacom<br>
has been kind enough to route... both for him and to him...
do in fact seem<br>
to be associated with numerous domain names that obviously
consist of<br>
just two random dictionary words smashed together, followed
by either .com<br>
or .net. This exact motif is quite commonly used by and
among many of<br>
the Internet's most prolific snowshoe spammers.<br>
<br>
And of course, Mr. Stanciu's snowshoe spamming domains would
not be<br>
maximally productive unless they each had SPF TXT records
attached...<br>
ones that would pass muster with the recipients of Mr.
Stanciu's spams.<br>
Those SPF TXT records are listed here, along the relevant
domain names:<br>
<br>
<a href="https://pastebin.com/raw/BbK2YGe6"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://pastebin.com/raw/<wbr>BbK2YGe6</a><br>
<br>
(Whenever possible snowshoe spammers also like to be able to
send out<br>
their spams from from IP addresses where they have already
set up nicely<br>
mattching reverse DNS, because a lot of recipient mail
servers these<br>
days just won't accept inbound email anymore from
no-reverse-dns IP<br>
addreses. But unfortunately for Mr. Stanciu, and for
Multacom, the fact<br>
that they both just sort of walked off with the <a
href="http://163.198.0.0/16" rel="noreferrer"
target="_blank" moz-do-not-send="true">163.198.0.0/16</a>
block<br>
means that although they can -route- that space, they can't
get the<br>
authority to control the reverse DNS for this block
delegated to them.<br>
In order to do that, they'd have to get permission to do
reverse DNS for<br>
the block FROM THE REAL AND LEGITIMATE BLOCK OWNER. And
since that ain't<br>
them, nor even anybody who even knows what these clever
fellows are up<br>
to, they can't. So Mr. Stanciu is stuck sending out his
spams in a<br>
sub-optimal way, without either matching reverse DNS or even
*any*<br>
reverse DNS for the entire /16 block he's stolen. Sorry Mr.
Stanciu!<br>
Sorry Multacom!)<br>
<br>
As anybody who understand this stuff will by now be utterly
convinced, the<br>
legacy Afrinic address block, <a
href="http://163.198.0.0/16" rel="noreferrer"
target="_blank" moz-do-not-send="true">163.198.0.0/16</a>,
has been hijacked, stolen,<br>
or whatever you prefer to call it, by Mr. Alexandru
("Andrei") Stanciu of<br>
Suceava, Romania, specifically for "snowshode" spamming
purposes, and with<br>
the significant help and assistance of AS35916, aka Multacom
Corporation<br>
of 16654 Soledad Canyon Rd #150, Canyon Country, Calfornia,
91387, which<br>
is actually the entity announcing the routes to this clearly
illicitly<br>
"liberated" IP block.<br>
<br>
So now, would one or more of you kind folks on this list who
are more<br>
fortunate than me, and who have connections please be so
kind as to<br>
let the following entities know about what Multacom is
acctually up to<br>
here?<br>
<br>
AS2914 NTT America, Inc.<br>
AS3223 Voxility S.R.L.<br>
AS209 Qwest Communications Company, LLC<br>
<br>
Maybe they won't care, but they should. Maybe we can find
out if the<br>
notion of peer pressure... or perhaps even de-peer
pressure... works<br>
as well in practice as it allegedly does in theory.<br>
<br>
Thanks for listening.<br>
<br>
<br>
Regards,<br>
rfg<br>
<br>
______________________________<wbr>_________________<br>
afnog mailing list<br>
<a href="https://www.afnog.org/mailman/listinfo/afnog"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://www.afnog.org/mailman/<wbr>listinfo/afnog</a><br>
</blockquote>
</div>
</div>
</blockquote>
<br>
</body>
</html>