[Asrg] News Article - Stealing IP address ownership to send spam

See the following SecurityFocus article 
(http://www.securityfocus.com/news/5654) and the related SlashDot story 
(http://yro.slashdot.org/yro/03/06/11/1853254.shtml). Some quotes:
--snip--
"The most rapacious consumers of the stolen address space are spammers 
trying to stay a step ahead of anti-spam blacklists. A /16 provides a lot 
of addresses to hide behind, a lot of launch pads for unwanted e-mail, 
squats for hastily-erected spamvertised websites, and attack points from 
which one can scan the Internet for misconfigured proxy servers-- useful 
for laundering even more spam. Some anti-spam investigators believe an 
underground economy exists in which a large block of address space is 
broken down and re-sold in smaller chunks like a boosted Acura in a 
chop-shop. "Money is changing hands," says Kai Schlichting, a veteran 
network engineer who tracks down stolen IP space in his spare time. "I 
wouldn't be surprised if you could sell a /16 for $100,000 in bits and pieces."
" But elsewhere the scam has intensified in recent months, with at least 
seven large allocations found newly-diverted, and countless other cases 
suspected. Last month anti-spam groups and concerned network operators 
formed a private mailing list to investigate the phenomenon outside the 
view of cyberjackers. "There's anything up to 100 of these blocks out there 
on the loose," estimates Richard Cox, an IT forensics guru with Mandarin 
Technology in the U.K. "That's the magnitude that we're dealing with here."
"Network operators were galvanized by a particularly brazen case in April, 
when a trail of spam led to the discovery that no-less than six /16s -- 
nearly 400,000 addresses -- had been misappropriated from Trafalgar House, 
a British construction and shipping conglomerate that's now part of Aker 
Kvaerner, headquartered in Norway. From the U.K., Cox discovered that the 
perpetrators conned the American Registry for Internet Numbers (ARIN) into 
changing the contact information for the space. One of the /16s was traced 
to a Dutch spammer, and the other five to a mysterious company called 
"Fedfinancial Corp."
	Fedfinancial managed to convince ARIN that it had been contracted to 
provide network management services for Trafalgar. ARIN won't say exactly 
how it was swindled, but registration records show the grifters had an 
authentic-looking e-mail address at a newly-minted "traf-infosystems.net" 
domain, and a genuine street address with matching voice and fax telephone 
numbers. But the phone numbers ring to Nevada and Offshore Business 
Formation, a company that sets up corporations for a fee, and takes orders 
over the Web. Public records show that they incorporated Fedfinancial as a 
Nevada corporation last January, on behalf of an unnamed client. The street 
address is also theirs. "
"But like the mob moving in on a neighborhood poker game, spammers have 
turned a once-harmless misdemeanor into an organized and well-funded 
scheme. Internet defenders shudder at the thought of large portions of the 
net's real-estate under the control of anonymous rogue entities. "There's 
no accountability. You don't know who really owns this particular address 
space. You have no way of finding out," says Schlichting." Some even worry 
that malefactors will go a step further, and begin hijacking address space 
that's already in active use. "This whole episode has identified huge 
weaknesses in the Internet's own infrastructure," says Cox. "What we've 
seen happen is trivial compared to what we've seen possible."
--snip-- 

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg