February 1, 2011

Egyptian citizens calling for besieged President Hosni Mubarak to step down may have been cut off from using the Web, but spammers have been busy cutting the government off from its own Internet address space: Earlier this month, junk e-mail artists hijacked a large swath of Internet addresses assigned to Mubarak’s wife.

According to Spamhaus.org, well known spammers commandeered a chunk of more than 4,000 IP addresses that were assigned years ago to Suzanne Mubarak and the Suzanne Mubarak Science Exploration Center. Spamhaus reports that those addresses have been used recently to promote a variety of dodgy Web businesses, and that the hijacked block is under the control of an organization that has ties to alleged spammer Michael Lindsay and iMedia Networks. iMedia did not respond to requests for comment.

The high profile land grab is the latest example of how spammers are becoming more brazen in their quest for non-blacklisted Internet address space from which to send spam, said Rod Rasmussen, president and chief technology officer of Internet Identity.

Rasmussen said Internet address space hijackers tend to target chunks of addresses assigned to governments and defense contractors, because those allocations are less likely to be reported missing, and very few of them are blocked by anti-spam tools.

“The spammers doing this look for chunks of [Internet] space that are dormant, but most of all blocks of IP addresses that are whitelisted,” by anti-spam groups, Rasmussen said. “Their spam gets through anti-spam filters nicely after that, or least until the hijacking is detected.”

Sometimes, the scammers are able to hijack IP space by snatching up expired domain names that were used to register the addresses years earlier. The attackers then send an e-mail from that domain to the regional Internet registry that assigned the block of IP, requesting whatever changes they need to assume control over the addresses.In other cases, spammers use forged letters and bogus corporate fronts to impersonate the rightful owner of the addresses.

Another chunk of addresses that Spamhaus found were recently hijacked by spammers — 255 IPs originally assigned in 1994 to the now defunct Claremont Technology Group — appears to have been stolen sometime after the organization let its domain claretech.com lapse. That domain now redirects to Falls Church, Va. based government contractor Computer Sciences Corp (CSC), which acquired Claremont in 1998.

Rasmussen believes we are likely to see a spike in this type hijacking activity as global supply of unassigned IPv4 addresses continues to dwindle and unallocated blocks become more valuable. Experts disagree on exactly when the pool of IPv4 addresses will be drained: Some says as mid- to late 2011, and others claim it’s only a few more days.

While no one questions the need to migrate to a much more roomy IPv6 addressing scheme — which can accommodate many orders of magnitude more addresses — the scarcity within IPv4 is a bit artificial. That’s because many of the world’s largest and oldest corporations control vast, barren expanses of this digital real estate, by virtue of the fact that they were around back at the dawn of the Internet, when large blocks of IP addresses were available to virtually any organization that asked for them. Part of the problem stems from the reality that these address holders haven’t been asked to give any of it back.

“I would fully assume that companies like HP, Ford and Apple are going to be putting together a secondary marketplace for these IPv4 addresses,” Rasmussen said. “If that happens, we’re likely to see all kinds of new and interesting ways to commit fraud in this space.”

Spamhaus also tracked several other notable IP blocks that were hijacked by spammers recently, including more than 65,000 addresses assigned back in 1987 to Fisher-Rosemount Inc. out of Marshalltown, Iowa. The rightful owner of that space is Emerson Process Management, a $6 billion division of $21 billion industrial giant Emerson Corp. Emerson Process Management builds wireless devices used to remotely control and monitor complex industrial systems, such as power and chemical plants.

18 thoughts on “Spammers Hijack Internet Space Assigned to Egyptian President’s Wife

  1. Mark Mueller

    IMO the argument of artificial scarcity is bullshit even in the light of some big blocks from the pre CIDR era. The internet was designed for directly routeable end-to-end connections and we lost that when everyone began to willingly break it with NAT. As a frist mitigation mechanism a more narrow allocation with CIDR avoided a run out years ago.
    Now with IPv6 we have the chance to get back a “real” internet and clear up the routing tables from mistakes made years ago.

    1. Игор

      Putting a computer behind nat, even if you do have your own public IP greatly reduces the vulnerability of the system from outside attackers…

      1. Mark Mueller

        Not that this has much to do with the artificial scarcity argument …

        You can achieve the same ‘security’ with a tiny bit of IP filtering on your border gateway. You’ve to replace all the consumer routers anyway so I don’t see much of problem with pre-loading a firmware with a sane default filtering setup.

        Beside that I’m just waiting for the rebirth of the so called ‘Desktop Firewalls’ which were quite a nice way to make a buck just a few years ago when everybody was behind a ‘safe’ NAT setup. Now they wouldn’t be that pointless though I bet most of them won’t support IPv6 currently and they had a track record of their own vulnerabilities.

  2. Batsy

    Meh. If we’re going to IPv6, we’re going to IPv6. It’s largely out of anyone’s control at some point.

    That aside, not that I won’t be able to get used to it or figure it out but is it just me but does anyone else privately wonder if someone might think of some way to convert the hex address to something a bit more human friendly or just easier on the eyes?

    At the very least, the manual entry (rare maybe for many people) of the address is going to be a tad more irritating compared to IPv4 address. (OK, maybe that was a bit of a whine.)

    Is it just me? Or does anyone else share this view? (Just curious)

    “As I rained blows upon him, I realized there had to be another way” -Frank Constanza

    1. Mark Mueller

      Felt a bit creepy at the beginning but after a few days your getting used to it. You can make it easier for yourself if you
      – zero out as much as possible
      – build up a naming scheme that somehow makes sense for your setup e.g. :deb1 :deb2 enumeration for your debian servers. You can even code in the prior blocks room numbers and/or rack numbers if you like. Big but: such tricks make it easier for potential attackers to locate systems within your subnet. vanHauser talks a bit about it in his 27C3 talk.

  3. Kevin

    Will the move to IPv6 just provide a huge new swath of online real estate for the spammers, or is there something inherent in the new system that will make spamming from all those new addresses infeasible?

    1. Mark Mueller

      Yeah and for how long? My fridge is waiting 🙂
      Beside that there would be growth in the length of routing tables if you start to subnet all those big blocks aswell. Plus it would get even harder to get continous address space.

    1. Mark Mueller

      Regarding the spammers/botnets not much will change because of IPv6. The only thing that will change is that you move from blocking one address to netblocks e.g. the whole /64 assigned to the spamming comcast6 customer (just an example because I read today that they’ll assign a /64). Others might assign /48 for registered space or /56 so you might block bigger blocks aswell.

      Beside that one should always remember that the basic design of IPv6 (aka IP-ng) is 15 years old and wasn’t designed with the security in mind. The IPSec requirement is bit different beast and won’t help most people here.

      1. Avi

        That’s part of the problem – not having a standard for the size of address space assigned. Blocklists need to block only the spammers or they cease to be effective.

        1. Mark Mueller

          Well /64 is the smallest one to expect so I’d say in most cases you’ll block that.
          I hope that nobody is going to assign something smaller against all recommendations but I’ve to admit that you can’t be 100% sure.

  4. Dragos Ruiu

    Well the disagreements on when IPv4 is exhausted can finish today. IANA has announced no more unallocated v4 /8s exist.

Comments are closed.