Score one for the good guys: Bitcanal, a Portuguese Web hosting firm long accused of helping spammers hijack large swaths of dormant Internet address space over the years, was summarily kicked off the Internet this week after a half-dozen of the company’s bandwidth providers chose to sever ties with the company.
Spammers and Internet service providers (ISPs) that facilitate such activity often hijack Internet address ranges that have gone unused for periods of time. Dormant or “unannounced” address ranges are ripe for abuse partly because of the way the global routing system works: Miscreants can “announce” to the rest of the Internet that their hosting facilities are the authorized location for given Internet addresses. If nothing or nobody objects to the change, the Internet address ranges fall into the hands of the hijacker.
For years, security researchers have tracked the suspected theft of millions of IPv4 Internet addresses back to Bitcanal, which was also doing business under the name “Ebony Horizon.” Experts say shortly after obtaining a chunk of IP addresses, Bitcanal would apparently sell or lease the space to spammers, who would then begin sending junk email from those addresses — taking full advantage of the good or at least neutral Internet reputation of the previous owner to evade anti-spam blacklists.
Much of the hijacked address space routed by Bitcanal was once assigned to business entities that no longer exist. But some of the more brazen hijacks attributed to Bitcanal and its customers involved thousands of Internet addresses assigned to active organizations, such as the company’s well-documented acquisition of address space assigned to the Texas State Attorney General’s office, as well as addresses managed by the U.S. Department of Defense.
Bitcanal’s reputation finally caught up with the company late last month, when anti-spam activist and researcher Ron Guilmette documented yet another new major IP address hijack at the company and challenged Bitcanal’s upstream Internet providers to stop routing traffic for it (KrebsOnSecurity has published several stories about previous high-profile IP address hijacks involving spammers who were flagged by Guilmette).
Guilmette said Bitcanal and its proprietor — Portuguese businessman Joao Silveira — have a well-documented history of “behaving badly and coloring outside the lines for literally years.”
“His actions in absconding with other people’s IP address space, over the years, are those of either a spoiled child or else those of a sociopath, depending on one’s personal point of view,” Guilmette said. “In either case the Internet will, by and large, be glad to see his backside, and will be better off without him.”
Doug Madory, a researcher for Internet performance management firm Dyn (now owned by Oracle), published a blog post chronicling Bitcanal’s history as an address “hijack factory.” That post also documents the gradual ostracization of Bitcanal over the past week, as one major Internet exchange after another pulled the plug on the company.
Dyn’s depiction of Bitcanal’s final remaining upstream Internet provider pulling the plug on the company on July 10, effectively severing it from existence on the Web. Source: Dyn.
Reached for comment just days before Bitcanal was shunned by all of its peering providers, Mr. Silveira expressed shock and surprise over what he called unfair attacks against his company’s reputation. He blamed the besmirchment on one or two “bad” customers who abused his service over the years.
“My thought is that one or two customer in my network maybe [imitated] people acting like a client and force the errors or injecting bad network space,” Silveira said in an emailed response to KrebsOnSecurity. “I am not the problem and this public trial and conviction will not solve the prefix hijacking matter. If these questions remain without solution, those actors will keep doing it.” Continue reading
According to security firm 
