Legitimate Companies Power Spam InfrastructureWritten by Jesmond Darmanin on December 3, 2008
Click here or on the map to the right for real time Spamming IPs detected.
It is absolutely amazing that legitimate Internet and telecommunication related companies provide a huge global infrastructure that spammers leverage everyday. These companies are in business to facilitate legitimate business growth, but it’s hard to track legitimate businesses from those setup to deliberately send illegal spam.
“White Paper – Atrivo and their Associates” was recently published by Jart Armin. It provides the results of a study initiated to track and document scientifically the ongoing cyber criminal activity from within the IP space and servers controlled by the California-based Atrivo, and other associated entities. This white paper was published in association with James McQuaid and Matt Jonkman. The Technical Review of this white paper was performed by Bob Bruen and David Bizeul with the help and assistance of many “concerned netizens” within the Internet and Open Source Security community.
Atrivo is a significant Service Provider and peering point on the Internet, and controls a large number of IP addresses used to serve content to end users all over the world. The philosophy behind this study is the fear that either we as an Internet community take action to “stop” the cyber criminals or the average user will increasingly clamor for governmental controls or seek a closed Internet to protect them.
This is an Open Source Security study set out to quantify and continuously track cyber crime using numerous methods of measurement. It focuses specifically on the notorious Atrivo, which has been seen by many over several years as a main conduit for financial scams, identity theft, spam and malware. This study, although fully self contained, is the first of a series of reports; on a monthly basis there will be a follow up to report on the community response, the efforts of the cyber criminals to evade exposure, listings to assist in blocking the risks to Internet users, and hopefully efforts to stop them.
The Anonymous Services
A further key factor for cyber crime is anonymity, the most important of these Atrivo associations is, EstDomains (anonymous registrant), EstHost (anonymous hosting), PrivacyProtect (anonymous registrant), LogicBoxes (hosting servers). It is an interesting background rather than an elaborate explanation; in this version of the study, we use a few simple community quotes:
- Spam: 76.09% - 35 of 46 active domains appearing in (spam) email which are registered at ESTDOMAINS, INC. are listed by URIBL in the last 5 days. (URIBL – 08/28/08)
- Fake Codec web sites: Most importantly all 113 domains are or were registered with Estdomains, similarly all of the active 53 domains are hosted by AS27595 by Atrivo; AKA – Intercage, Inhoster, Cernal, etc. Also added should be AS 36445 a newer Autonomous Server apparently used by Cernal. (RBNexploit and Sunbelt – Oct 2007)
Directi is a PDR (Public Domain Registry). Directi is the Public Domain Registry (PDR) for Logic Boxes, Skenzo, etc.. They [Directi] were #9 in the worst registrar report: there are 14,096 spam-advertised PDR domains on record.
- 27% are software piracy
- 52% are fake pharmacy
- 17% are knockoff goods
LogicBoxes is a major sponsor of Internet Corporation for Assigned Names and Numbers (ICANN) and part of Directi. Logicboxes powers the infrastructure of EstDomains. It is still contractually obligated to provide software support and additional services to Estdomains, but Bhavin Turakhia, Directi founder, CEO & Chairman says he looks forward to the day when he can completely sever ties with Estdomains. “I would really love to detach ourselves from that organization,” he said. “We’ll have to let portions of that contract run out on its own.”
ICANN is the IP number assigning authority in the world. “ICANN doesn’t control content on the Internet. It cannot stop spam and it doesn’t deal with access to the Internet. But through its coordination role of the Internet’s naming system, it does have an important impact on the expansion and evolution of the Internet.”
Level 3 Communications, Inc. (NASDAQ: LVLT), an international communications company, operates one of the largest Internet backbones in the world, connecting 180 markets in 18 countries. The company serves a broad range of wholesale, enterprise and content customers. It is also the owner of Broadwing.