July 11, 2018

Score one for the good guys: Bitcanal, a Portuguese Web hosting firm long accused of helping spammers hijack large swaths of dormant Internet address space over the years, was summarily kicked off the Internet this week after a half-dozen of the company’s bandwidth providers chose to sever ties with the company.

Spammers and Internet service providers (ISPs) that facilitate such activity often hijack Internet address ranges that have gone unused for periods of time. Dormant or “unannounced” address ranges are ripe for abuse partly because of the way the global routing system works: Miscreants can “announce” to the rest of the Internet that their hosting facilities are the authorized location for given Internet addresses. If nothing or nobody objects to the change, the Internet address ranges fall into the hands of the hijacker.

For years, security researchers have tracked the suspected theft of millions of IPv4 Internet addresses back to Bitcanal, which was also doing business under the name “Ebony Horizon.” Experts say shortly after obtaining a chunk of IP addresses, Bitcanal would apparently sell or lease the space to spammers, who would then begin sending junk email from those addresses — taking full advantage of the good or at least neutral Internet reputation of the previous owner to evade anti-spam blacklists.

Much of the hijacked address space routed by Bitcanal was once assigned to business entities that no longer exist. But some of the more brazen hijacks attributed to Bitcanal and its customers involved thousands of Internet addresses assigned to active organizations, such as the company’s well-documented acquisition of address space assigned to the Texas State Attorney General’s office, as well as addresses managed by the U.S. Department of Defense.

Bitcanal’s reputation finally caught up with the company late last month, when anti-spam activist and researcher Ron Guilmette documented yet another new major IP address hijack at the company and challenged Bitcanal’s upstream Internet providers to stop routing traffic for it (KrebsOnSecurity has published several stories about previous high-profile IP address hijacks involving spammers who were flagged by Guilmette).

Guilmette said Bitcanal and its proprietor — Portuguese businessman Joao Silveira — have a well-documented history of “behaving badly and coloring outside the lines for literally years.”

“His actions in absconding with other people’s IP address space, over the years, are those of either a spoiled child or else those of a sociopath, depending on one’s personal point of view,” Guilmette said. “In either case the Internet will, by and large, be glad to see his backside, and will be better off without him.”

Doug Madory, a researcher for Internet performance management firm Dyn (now owned by Oracle), published a blog post chronicling Bitcanal’s history as an address “hijack factory.” That post also documents the gradual ostracization of Bitcanal over the past week, as one major Internet exchange after another pulled the plug on the company.

Dyn’s depiction of Bitcanal’s final remaining upstream Internet provider pulling the plug on the company on July 10, effectively severing it from existence on the Web. Source: Dyn.

Reached for comment just days before Bitcanal was shunned by all of its peering providers, Mr. Silveira expressed shock and surprise over what he called unfair attacks against his company’s reputation. He blamed the besmirchment on one or two “bad” customers who abused his service over the years.

“My thought is that one or two customer in my network maybe [imitated] people acting like a client and force the errors or injecting bad network space,” Silveira said in an emailed response to KrebsOnSecurity. “I am not the problem and this public trial and conviction will not solve the prefix hijacking matter. If these questions remain without solution, those actors will keep doing it.”

Another business tied to Mr. Silveira suggests that Bitcanal/Ebony Horizon has long been actively involved in obtaining sizable chunks of Internet address space on behalf of its clients. The same contact phone number that once existed on the (now unreachable) home page of Bitcanal.com also appears on the homepage of ip4transfer.net, a company that advertises the ability to lease large chunks of Internet address space.

Bitcanal owner Joao Silveira.

The current WHOIS registration records for ip4transfer.net are mostly redacted by domain registrar GoDaddy, but the name Ebony Horizon appears as the current business name, and Mr. Silveira’s name is on the original domain registration records from 2016, according to historic WHOIS records maintained by DomainTools [full disclosure: DomainTools is an advertiser on this blog].

Much of the content on ipv4transfer.net seeks to answer questions about what customers should expect when leasing address space from the company, including the possibility that some leased address ranges could be flagged as malicious or spammy by Spamhaus.org, an anti-spam group whose spam blacklists are relied upon by many ISPs to block large-scale spam campaigns. Prior to Bitcanal’s final disconnection this week, Spamhaus had blacklisted virtually all of Bitcanal’s address ranges as sources of spam and/or malicious email.

“Legitimate IP address space brokers don’t need to spend a lot of ink telling their customers how to avoid getting their shiny new IP address blocks listed by Spamhaus, or how to get them unlisted by Spamhaus, or what to do about it if the shiny new block they just purchased is already listed by Spamhaus,” Guilmette said.

Because the global routing of Internet address space is largely based on trust relationships between and among network operators, those operators have an obligation to ensure they’re not inadvertently facilitating the hijacking of Internet address space.

Perhaps coincidentally to the disconnection of Bitcanal, the RIPE Network Coordination Centre — one of the five global Regional Internet Registries (RIRs) providing Internet address allocations — on July 10 published an analysis of route hijacking activity across the Internet. The analysis includes a set of tips for network operators to help avoid contributing to the overall problem.


30 thoughts on “Notorious ‘Hijack Factory’ Shunned from Web

  1. Gary

    Doesn’t the postfix PTR check stop this type of spamming. That is just having an IP address doesn’t mean you look like a legit email server.

    1. Arjan

      Nope.

      Ruthlessly checking wether or not A and PTR match is sometimes deemed useful, but tons of legitimate mail servers do not have matching records. The RFC’s still say SHOULD, not MUST on that subject. So blocking mail due to a mismatch is an RFC violation.

      It can be used for scoring at best.

  2. The Sunshine State

    This is just the tip off the iceberg, the Internet address space in China is out of control when it comes to spam abuse.

  3. Chip Douglas

    “Bitcanal’s reputation finally caught up with the company late last month”

    Right about the time my junk mail folder stopped being glutted with spam.

    1. always watching

      And only took another day and a half to return right where it left off. :/

    2. JCitizen

      I noticed a temporary drop too. They’ll get it back, they always do.

  4. cdot

    Great work Mr. Krebs ! It’s always a grand idea to present pictures of the foul ones.
    Keep it coming. As the swamp gets drained the U.S. agencies will once again go after, arrest and convict these reprobate.

  5. Falco

    Now days all the crooks scammers fraudsters and former carders dumpsters dumps shoppers u know
    They all are in crypto currency business, and nothing else matters! Bitcouns and things like that.
    This stuff what we read now spammers fraudsters scammers and so its the old school but times are moved now is 2018 not 2008 we all member good times 2007,2009 it was most of the times for profit. But not anymore guys

  6. JCitizen

    I can see why spammers moved to this method, because I wouldn’t be surprised that the drop in desktop and laptop PC sales, meant that they would have to build a spambot network based on cell phones and pad devices, which wouldn’t be as efficient as simply getting your own address space.

    You don’t hear much about people’s PCs being taken over by spambots these days, it is probably more of a rarity now. Maybe also because PC operating systems became more secure as well.

  7. Troy Mursch

    Yet again, Ronald Guilmette single-handedly cleans up the internet. Thanks for reporting on this Brian.

    1. Phil

      Not quite single-handedly. Significant credit should be given to Job Snijders from NTT who was the driving force behind persuading transits and IXs to disconnect Bitcanal.

      1. Troy Mursch

        True, Job also kept the NANOG thread in check when he stated, “People – please just stop the off topic chatter. It is ludicrous that a thread about bgp hijacks morphed into font discussions. Either contribute to the operational issue at hand by evaluating your terms & conditions (or abuse policies) and applying them to your operations, or remain silent.”

    2. Ron G

      Ummm.. yea. What Phil said. I wish that I could take credit for largely or entirely disappearing BitCanal from the civilized Internet, but I can’t. Far from it. Job did quite a lot, as did Doug Madory by simply documenting the mess that was BitCanal’s hijacks over the years. And Brian’s coverage of this gigantic clusertf*** helped also to convince some people & entities that might otherwise have been sitting on the fence to pull the plug.

      One important point that, I’m sad to say, didn’t make it into Brian’s report was/is that EbonyHorizon (aka Bitcanal) was and is an official RIPE “Recognised IPv4 Transfer Broker”:

      https://bit.ly/2uzW6UC

      So, you know, apparently being an IPv4 address space thief is apparently not a disqualification from being inducted into this exclusive RIPE club.

      I hope that everyone will remember that I pointed out this sad fact about BitCanal, and its apparently formal endorsement by RIPE. This may not be the last time such an issue comes up.

      <>

      1. acorn

        You brought up another instance, me seeing other instances over a decade, that RIPE could be overhauled or replaced.

  8. Hazrat Ali

    Appricieted work Mr. Krebs ! It’s always a grand idea to present pictures of the foul ones.
    Keep it coming. As the swamp gets drained the U.S. agencies will once again go after, arrest and convict these reprobate.

  9. Reader

    Spam spam spam Hide Behind Go Daddy spam spam spam Hide Behind Go Daddy….

    Why does that name pop up nearly every time you discuss spam?

    I think Go Daddy and Name Cheap should also be shunned for facilitating and hiding the identities of Internet vermin.

  10. Ben Grimm

    So when are providers going to pull the plug on Psychz, Nobis, ColoCrossing, Nexeon, Input Output Flood, Lanset, Versaweb, etc. etc. etc.? 100% spam, all of them.

  11. Komodoro

    So what about google.com? They are listed in spamhaus as top5 spammers. Why nobody talk about those?

    1. Gary

      There will always be the case where some spammed gets a Gmail or yahoo account and spams until detected and shut down. I doubt you can do volume spamming this way.

      Most of my spam is in fact from Gmail.

      1. Komodoro

        You always use Gmail SMTP to relay your email. And send out w/e you want with a different header on the email.
        But the fact is that Google is the one being considered spammy as domain and IP’s and not Gmail. Or even, now known, Alphabet. Either way, Google must be one of the only email carriers that don’t use spamhaus at all. Microsoft must be one of the biggest spamhaus users. Did any of you have ever worked at a telecommunication company? The thing behind Bitcanal must be a whole other story just to be this simple. What would a company like this gain using their own network for spamming? In fact, aren’t they a peering supplier? This could a whole different story if some of the clients would be abusing of this and the company itself would get burned by it. But yeah… The company y itself

        1. Komodoro

          The company itself should be monitoring the network correctly so this wouldn’t happen.

  12. Peter Pearson

    “… the Internet will, by and large, be glad to see his backside…”

    Uh . . . no, thanks. May I please apply for a different metaphor?

    1. acorn

      That’s the web site, not the regional Bitcanal network, two different networks.

      Bitcanal regional seems down best I can determine, no announced IP ranges on the CIDR report for AS3266.

      1. acorn

        In other words, the graphical web site is up; the customer base network is down.

  13. jarvir

    Is it sure he’s gone though? How easy is it for him to set up a new company and service and to continue to do what he did?

    1. jarvir

      … more specifically, what is required for someone to act as an ISP and to get the possibility to grab those IP addresses? I’ve wondered about this also with regard to those ISPs that have deliberately caused traffic to be misrouted like that one case in Iceland.

      1. acorn

        Don’t know about the ISP level; but at the IP level the same IP addresses are still blocked by utilizers of certain blocklists, it’d still be an ISP with no routing to utilizers of certain blocklists.

        The ISP owner has a name for himself/herself in the region, a bad one, and only certain upstream providers are available for connectivity to the region, some or all of the same ones dealt with before.

  14. Firefox Support

    It is a good news as well as bad news. Due to the excessive spreading of spamming it was better to be shunned.

Comments are closed.