Network News

X My Profile
View More Activity

A Case of Network Identity Theft?

Digital real estate leased to one of the Internet's oldest landholders appears to have been quietly seized by e-mail marketers closely associated with an individual once tagged by anti-spam groups as one of the world's most notorious spammers.

What's remarkable about this case study is that it pits a vocal spammer against the American Registry for Internet Numbers, which has yet to take action. ARIN is one of five regional Internet registries worldwide that is responsible for allocating IP addresses (ARIN handles this process for the United States, Canada and 22 Caribbean countries).

The real estate in question is Internet address space long ago issued to San Francisco Bay Packet Radio, an organization that was involved way back in the 1970s in testing ARPANET, a predecessor to the global commercial Internet that we all use today. That organization was given the rights to do whatever it wanted with any numeric Internet addresses that begin with 134.17 (an allocation that is known in the industry as a "slash 16" or "/16," or enough Web space to accommodate up to 65,536 unique Internet addresses).

Back in the 1970s, blocks of IP addresses were given away like cotton candy to pretty much anyone who asked, and many entities that were awarded the stuff didn't use most of what they were given. The San Francisco Packet Radio group was no exception, which was probably why e-mail marketers figured that nobody would notice if they moved into that space and set up shop.

That entire swath of Internet space is now registered to an entity in Westminster, Colo., called SF Bay Packet Radio LLC, but except for a similar name, this company has no relation to San Francisco Bay Packet Radio.

The name on SF Bay Packet Radio LLC's business records lists a Trudy DeBell as the registered agent. DeBell also is the chief financial officer for a company called Media Breakaway, an online marketing company which lists as its president an attorney named Steven Richter. Richter says Media Breakaway has 70 employees and generates more than $100 million in annual revenue.

As it happens, Steven is father to one Scott Richter, an e-mail marketer who has been sued by a number of the Internet's biggest players -- including Microsoft, Myspace and former New York Attorney General Eliot Spitzer, for sending spam. In 2005, Scott Richter agreed to pay $7 million in damages to Microsoft. He is now CEO of Media Breakaway.

A trace through the global Internet routing tables conducted by Security Fix indicates that traffic destined for the Internet addresses previously owned by the original San Francisco Bay Packet Radio entity is now being routed through servers controlled by a San Diego based e-mail marketing company called JKS Media LLC.

Who owns JKS Media? When Security Fix tried connecting to the site over an FTP (file transfer protocol) connection, the greeting displayed by the site read "wholesalebandwidth.com," a company owned by Media Breakaway. Anti-spam activists have implicated wholesalebandwidth.com in multiple spam operations. Steve Richter confirmed that JKS Media also is owned by Media Breakaway.

So what about spam seen currently sent through networks now controlled by JKS Media? A review of records posted by both Spamhaus.org and e-mail provider Outblaze.com shows that a large number of Internet addresses on the company's Internet space have been blacklisted for sending junk e-mail.

A spokesperson for Spamhaus said that JKS Media/Media Breakaway had indeed hijacked the IP space from its previous owner, and that the IP space should be revoked under the rules set out by ARIN.

For his part, Steve Richter claims Media Breakaway obtained the IP space after purchasing SF Bay Packet Radio LLC (the company whose registered agent is Trudy DeBell, the current CFO of Media Breakaway). In an interview with Security Fix, Richter said the IP addresses are "legacy space," in that they were issued prior to ARIN's creation in 1997. As such, Richter maintains that ARIN has no control over the space.

"It's not controlled by ARIN, so there's no hijacking," Richter said. "It's not under ARIN's jurisdiction and we purchased a company that had that space. ARIN has nothing to say about it, it's not under their control. We haven't taken anything from anybody, haven't done anything that wasn't proper."

ARIN's General Counsel Stephen Ryan said ARIN was aware of the allegations and was investigating. "The matter has come to ARIN's attention, it is under review, and at this point I can't say more except that we're looking at it very diligently."

Ryan said depending on what its investigation unearths, ARIN has several options: It can demand more information from the registrant, revoke the IP space in question, and/or refer the matter to law enforcement if it is determined that the application filed false documentation about corporate records. If ARIN finds that Media Breakaway falsified documents to obtain the IP space, and the matter is referred to law enforcement, Media Breakaway could be charged with mail fraud or wire fraud if it falsely submitted those documents via the U.S. mail or over the Internet.

In January, ARIN revoked the IP space of a company in Houston that failed to pay annual maintenance fees for the space and refused to provide more information about a pending transfer of the IP space to a third party, which claimed it had purchased the company whose IP space it was requesting.

I suppose it is possible that groups like Outblaze and Spamhaus are simply mistaken in listing Internet addresses assigned to Media Breakaway as sending e-mail to people who did not agree to be spammed. But that activity becomes a lot harder to explain if it turns out that that company is sending commercial e-mails from Internet space that it obtained through trickery or sleight of hand.

This type of activity, sometimes called "network identity theft," is not unheard of. In February, Security Fix wrote about an Internet censorship order by the government of Pakistan led to the inadvertent hijacking of traffic destined for Youtube.com. A more blatant and purposeful incident occurred in 2003, when Los Angeles County found that a substantial portion of its Internet space had been fraudulently hijacked by a guy who operates a network largely populated by porn sites.

Much of the information in this post comes from research conducted and written about last week by Ronald Guilmette, a man who has unsuccessfully tried to sue the Richters on two occasions.

I spoke with Guilmette at length over the weekend about his findings, but he was not eager to be quoted in this story, citing previous run-ins with the Richters and the money it cost him. Looking at the legal acumen Richter the elder exhibited in deflecting the brunt of Myspace's spam suit against him speaks volumes about the reason for Guilmette's reluctance.

In January 2007, MySpace sued Scott Richter and his e-mail marketing firm Optinrealbig.com LLC, alleging that Richter gained access to MySpace member accounts and used them to send millions of spam messages appearing to be from users' MySpace "friends." Among the many legal claims MySpace filed was that -- in spamming MySpace users -- Richter was in "breach of contract" with MySpace's terms of use, the legalese that every user of the site must agree to in order to have a MySpace account.

Interestingly, Scott Richter's attorneys pointed out to the judge in the case that MySpace's own terms of service stipulate that either party to a dispute over violations of the company's terms of service can demand to settle the dispute through arbitration. As a result, in August of last year the judge in the matter ordered both sides into arbitration, and dismissed the lawsuit.

I could not find current contact information for anyone who worked on the original San Francisco Bay Packet Radio project. If you or someone you know was affiliated with that effort, please drop me a line or leave a comment below.

By Brian Krebs  |  April 28, 2008; 6:35 PM ET
Categories:  From the Bunker , U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Do You Foxit? Then Patch It!
Next: Microsoft Delays Windows XP Service Pack 3

Comments

You probably already went down this path, but if not The San Francisco Amateur Radio Club might have some people who are in the know about San Francisco Bay Packet Radio

http://www.sfarc.org/

Posted by: blob | April 30, 2008 1:39 AM | Report abuse

SF Packet radio was run out the Stanford Research Institute.

Douglas Engelbart or someone from his or the other labs would be a good lead to follow up on the disposition of this.

Jim Mathias's name is on many for the drafts related to the address assignment.

Posted by: joel jaeggli | April 30, 2008 3:57 AM | Report abuse

We are the Anonymous

LOL @ Snotty Scotty

iptables -A INPUT -s 134.17.0.0/16 -j DROP

Have a nice day.

Posted by: Anonymous | April 30, 2008 6:35 AM | Report abuse

I can verify that the packet radio experiments were run out of SRI; I was a student at the UCLA CS department in the 1970's, and they had a packet radio group cooperating with the SRI group. The department might still have records; Dr. Kleinrock (who's still on the faculty) might even remember some of the people.

Posted by: Dave Clemans | April 30, 2008 4:04 PM | Report abuse

Posted by: Danny McPherson | April 30, 2008 7:55 PM | Report abuse

I am not surprised in this in the least, we tracking the IP address space that is used by email marketing companies, and it is surprising how much of the IPv4 space is being swallowed up by email marketing companies. ISP's complain they have a tough time getting even small portions of space allotted, but we see email marketing companies with /19 and /20's all the time.

http://www.spamrats.com
http://www.mipspace.com

Posted by: Michael Peddemors | April 30, 2008 11:41 PM | Report abuse

for those who aren't linux-geekenkind, the line

iptables -A INPUT -s 134.17.0.0/16 -j DROP

is a single item to -Add to one's linux-kernel firewall setup, that will DROP all packets coming IN from that netblock.

Since most routers are linux-based, nowadays, you can go into the menu of your router-setup, & tell it to drop that block, through its config-interface.

Remember to put a note on the router reminding you of the mod, though, or whenever his block gets reclaimed by legit people, *they* won't be able to connect with you...

( that also means periodically checking to see if anything is legit in that space
-shrug-
better than to allow an abuser to manipulate our experience through their junk, anyhow )

For the advanced linuxer, check-out TARPIT instead of DROP ( yes, it isn't in the stock IPTABLES, add it in )

Posted by: Hizself | May 1, 2008 5:50 AM | Report abuse

Pictures of the old SF Bay Packet Radio experiment -

http://www.sri.com/news/imagebank/wireless_comm.html

There's at least one photo in there with what looks like a much younger Vint Cerf

Posted by: SRS | May 2, 2008 10:54 PM | Report abuse

Seems as though ARIN failed their responsibilities... unless the term "legacy" is not just semantics, one has to realize that 0-255 in four octets (IPv4) is a finite set... to disregard the management of a portion and call it "legacy" seems to be making excuses. What can we expect with IPv6?

Posted by: Buddy Milo | May 3, 2008 8:37 AM | Report abuse

Legacy address space is not just semantics, it has to do with the way the IP address numbers were assigned. Before ARIN were set up, address space was assigned by Jon Postel and IANA. While I am not a lawyer, my understanding is that these assignments were open-ended and, unless the assignee gives the rights back to ARIN (or another Registrar), ARIN indeed has no rights over the address blocks. This makes legacy space very similar to the "Kings Grant" land in New England.

There are no such issues with the IPv6 address space.

Posted by: Marshall Eubanks | May 4, 2008 10:53 AM | Report abuse

I don't generally feel anything until noon; then it's time for my nap.

Posted by: Airline Ticket | May 5, 2008 6:28 AM | Report abuse

I think it's a big mistake to analogize IP address space (or anything in cyberspace) to real estate, even if it is a useful analogy for explaining the concept. The reason is that we then are in danger of ascribing to digital space the same bundle of property rights that we ascribe to real estate. Cyberspace is different. Let's not try to turn it into meatspace just because we can't understand it any other way.

Posted by: dvd | May 8, 2008 3:00 PM | Report abuse

I have a copy of the book "The Users Directory of Computer Networks", edited by Tracy L LaQuey Digital Press, 1990 DP ISBN 1-55558-047-5
PH ISBN 0-13-950262-9

Which shows:

134.17.0.0 BAY-PR-NET; SF Bay Packet Radio; Medin, Milo (MSM1)
MEDIN@NSIPO.NASA.GOV, (415) 604-6440

It looks like this network was affiliated with NASA Ames, rather than SRI.

The same person (MSM1) is also listed as the contact for a number of other NASA networks, one of the NSFNet contacts for NASA Ames, as well as the contact for a couple of NOAA, USGS, and other random networks, including:

134.12.0.0
128.102.0.0
128.49.0.0
128.154.0.0
128.155.0.0
128.156.0.0
128.157.0.0
128.158.0.0
128.159.0.0
128.161.0.0
128.217.0.0
130.134.0.0
130.167.0.0
131.182.0.0
192.12.48.0
192.12.49.0
192.12.50.0
192.31.97.0
192.31.241.0
192.35.129.0
192.41.204.0
192.41.225.0
192.42.70.0
192.43.245.0
192.54.111.0

Posted by: bob Vaughan | May 13, 2008 3:49 PM | Report abuse

Identity theft can happen to anyone, a very scary situation. Just lately, I found an article here. http://personalmoneystore.com/moneyblog/2008/08/16/harvard-gets-hacked-by-scam-mortgage-site-video-proof-exposed-by-the-personal-money-store-no-fax-payday-loans/ This is all about hackers that plague google results. The major targets are the reputable non commercial domains such as .edu.gov.org. This is a big concern since these malicious acts are done just to gain profit and some unfair advantage. Let us all be wary of these acts of deception. I am very thankful for http://personalmoneystore.com for posting this article. It is very important that all people become aware of this especially their targets.

Posted by: no fax payday loan-david | August 18, 2008 6:44 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company