Friday, August 29, 2008

Washington Post: Atrivo/Intercage, why are we peering with the American RBN?

This Washington Post story came out today:
http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.html

In it, Brian Krebs discusses the SF Bay Area based Atrivo/Intercage, which has been long named as a bad actor, accused of shuffling abuse reports to different IP addresses and hosting criminals en masse, compared often to RBN in maliciousness. "The American RBN", if you like.

1. I realize this is a problematic issue, but when it is clear a network is so evil (as the story suggests they are), why are we still peering with them? Who currently provides them with transit? Are they aware of this news story?

If Lycos' make spam not war, and Blue Security's blue frog were ran out of hosting continually, this has been done before to some extent. This network is not in Russia or China, but in the silicon valley.

2. On a different note, why is anyone still accepting their route announcements? I know some among us re-route RBN traffic to protect users. Do you see this as a valid solution for your networks?

What ASNs belong to Atrivo, anyway?

Anyone has more details as to the apparent evilness of Atrivo/Intercage, who can verify these reports? As researched as they are, and my personal experience aside, I'd like some more data before coming to conclusions.

Hostexploit released a document [PDF] on this very network, just now, which is helpful:
http://hostexploit.com/index.php?option=com_content&view=article&id=12&Itemid=15

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

4 comments:

IKillSpammerz said...

I posted the following on their blog post located here:

http://blog.directi.com/company/our-official-response-to-malicious-reports-which-falsely-implicate-the-directi-group/

It used to appear just below the comment that ends with "Good Luck DirectI!" They removed it a day later.

My comment made specific mention of the fact that there was quantifiable evidence that they paid no attention whatsoever to complaints going back at least two years, and that I and several colleagues had noted this in our repeat complaints to them.

Having said all of this, it initiated an email exchange in which Mr. Bhavin and others have finally begun to look at their complaint processes much more seriously, however their removal of my complaint - which was certainly not libelous or slanderous, but linked directly to documented proof of their lack of action - is most definitely troubling.

Here is my original complaint as posted on their blog on Sept. 5th, 2008:

SiL / IKS / concerned citizen

-----------------------------------

You claim to have no affiliation with any of this claimed illegal activity, and you further claim that you don't support or provide infrastructure for illegal websites or cybercriminal activity.

This recent report is only the latest in a series of reports which have directly implicated Directi / Atrivo / Intercage in providing just this type of support.

Particularly damning evidence citing numerous instances (hundreds) where Directi or Atrivo were directly involved in this type of activity may be found here:

http://www.spamhaus.org/archive/evidence/malwarehosts/atrivo.html

Spamhaus has been attempting to alert you to this for many years and has been exasperated while doing so:

http://www.spamhaus.org/news.lasso?article=636

Several colleagues of mine have received many thousands of spam messages promoting domains which were directly registered by Directi, and for which no action was ever taken. We documented these reports in numerous forums, all with no response of any sort from Directi or Public Domains Registry.

You cannot simply refute this small set of recent reports, there is a lot of documented evidence on the web which bears their claims out.

The fact that Directi and Public Domains Registry are also involved in shady “domain parking” services only furthers my disdain for your so-called “company.”

If you say you're going to do something about it, do something. I and many others have had much greater success even with much more slippery registrars (notably XIN NET and Todaynic in recent months) in seeing swift, very decisive action being taken against criminal domains and activity.

I don't buy your response, nor would anyone else who's been reporting this rampant abuse to you for several years now. The proof is in the pudding.

SiL / IKS / concerned citizen

IKillSpammerz said...

Update: after further communication with them, they may reinstate my comment.

It turns out they actually really do want to tackle this issue. Let's hope their actions are as strong as their words.

SiL

Gadi Evron said...

Indeed! :)

Anonymous said...

This is a very nice and interesting post. It provides lot of useful and meaningful information to me.
------------------
lauran
washington drug rehab