Multicom Hijacks: Do you peer with these turkeys (AS35916)?

Well, it took less than a day for my last missive here to get the
hijacks associated with AS202746 (Nexus Webhosting) taken down.
I guess that somebody must have smacked Telia upside the head with
a clue-by-four at long last.

So, with that out of the way, let's see what else I can accomplish
this week.

As I understand it, the theory is that the thing that keeps the
entire Internet from descending into the final stages of a totally
broken "tragedy of the commons" is peer pressure. As everyone knows,
there is no "Internet Police", so the whole system relies on the
ability and willingness of networks to de-peer from other networks
when those other networks are demonstratably behaving badly.

Let's find out if that actually works, in practice, shall we?

According to, the top three peers of AS35916 (Multacom)
are as follows:

    AS2914 NTT America, Inc.
    AS3223 Voxility S.R.L.
    AS209 Qwest Communications Company, LLC

I'd like help from any and all subscribers to this mailing list who
might have contacts in these companies. I'd like you to call their
attention to Multacom's routing of the following block specifically:

This is a long-abandoned Afrinic block belonging to a semi-defunct
company called "Agrihold". In fact, this block was a part of the
massive number of hijacked legacy Afrinic /16 blocks that I pointed
out, right here on this maling list, way back last November:

After that posting, whoever was responsible for all those blatant
hijackings got cold feet, apparently, and stopped passing all of those
bogus route announcements out through their pals at AS260, Xconnect24 Inc.

And so, for a brief time at least, the wanton pillaging of legacy Afrinic
/16 blocks, and the reselling of those stolen blocks to various snowshoe
spammers stopped... for awhile.

But it appears that on or about January 6th of this year, Mulutacom
lept into the breach and re-hijacked both the block
and also the additional Afrinic legacy block, (They
apparently stopped routing this latter block some time ago, for reasons
unknown. But that fact that Multacom was indeed routing this second
purloined legacy Afrinic /16 block also is in the historical records
now, and cannot be denied. Multicom's routing of both blocks began
around January 6th or so of this year, 2017.)

Just as a courtesy, I sent the block absconders at Multacom a short email,
earlier today, asking them if they had an LOA which demonstrates that
they have rights/permission to be routing the block. Of
course, the mystery person (noc@) who emailed me back claimed that they
did, but unfortunately, he was not under oath at the time. I asked
if he could show me a copy of this purported LOA, and I haven't heard
back from anybody at Mulatcom ever since.

I don't really think there is any big mystery here, nor do I think
that Multacom has or had, at any time, any rights to be routing these
two legacy Afrinic /16 blocks. But they have done so, and continue
to do so, in the case of the block at least, quite
obviously because -somebody- is paying them to do it, even in the total
absence of a legitimate LOA.

And as it turns out, it is quite easy to figure out who Multacom has
been routing these two hijacked legacy Afrinic /16 blocks both for and

It's trivially easy to run a traceroute to any arbitrary IP address
within the block. No matter which one you pick, the
traceroute always passes through a particular IP address,,
before the remainder of the traceroute gets deliberately blocked.

That IP address is registered *not* to some long lost African concern, but
rather to a Romanian networking company called Architecture Iq Data S.R.L.

That company itself is apparently owned by a fellow by the name of
Alexandru ("Andrei") Stanciu who hails from the city of Suceava, Romania.
(Note that this is apparently *not* the same Alexandru Stanciu who the FBI
arrested on bank and wire fraud charges in 2014. That one apparently hailed
from Bucharest.)

Anyway, "networking" seems to be only one of our Mr. Stanciu's many and
varied business interest. His networking company, Architecture Iq Data
S.R.L. has a web site ( but it is "shallow" to
say the least. Many, and perhaps evenmost of the links on the home page
of that company's web site seem to lead nowhere.

In cotrast, Mr. Stanciu has the following other well-developed web sites
and companies:
    Promoart S.R.L.
    Advertising Distribution Supplies S.R.L.

Mostly, he seems to be in the advertising business, as evidenced by the
above web sites, and also by his membership in the "Email Marketing Gurus"
special interest group over on LinkedIn:

Given Mr. Stanciu's apparent professonal interests, it is not really all that
surprising that the two hijacked legacy Afrinic /16 blocks that Multacom
has been kind enough to route... both for him and to him... do in fact seem
to be associated with numerous domain names that obviously consist of
just two random dictionary words smashed together, followed by either .com
or .net. This exact motif is quite commonly used by and among many of
the Internet's most prolific snowshoe spammers.

And of course, Mr. Stanciu's snowshoe spamming domains would not be
maximally productive unless they each had SPF TXT records attached...
ones that would pass muster with the recipients of Mr. Stanciu's spams.
Those SPF TXT records are listed here, along the relevant domain names:

(Whenever possible snowshoe spammers also like to be able to send out
their spams from from IP addresses where they have already set up nicely
mattching reverse DNS, because a lot of recipient mail servers these
days just won't accept inbound email anymore from no-reverse-dns IP
addreses. But unfortunately for Mr. Stanciu, and for Multacom, the fact
that they both just sort of walked off with the block
means that although they can -route- that space, they can't get the
authority to control the reverse DNS for this block delegated to them.
In order to do that, they'd have to get permission to do reverse DNS for
the block FROM THE REAL AND LEGITIMATE BLOCK OWNER. And since that ain't
them, nor even anybody who even knows what these clever fellows are up
to, they can't. So Mr. Stanciu is stuck sending out his spams in a
sub-optimal way, without either matching reverse DNS or even *any*
reverse DNS for the entire /16 block he's stolen. Sorry Mr. Stanciu!
Sorry Multacom!)

As anybody who understand this stuff will by now be utterly convinced, the
legacy Afrinic address block,, has been hijacked, stolen,
or whatever you prefer to call it, by Mr. Alexandru ("Andrei") Stanciu of
Suceava, Romania, specifically for "snowshode" spamming purposes, and with
the significant help and assistance of AS35916, aka Multacom Corporation
of 16654 Soledad Canyon Rd #150, Canyon Country, Calfornia, 91387, which
is actually the entity announcing the routes to this clearly illicitly
"liberated" IP block.

So now, would one or more of you kind folks on this list who are more
fortunate than me, and who have connections please be so kind as to
let the following entities know about what Multacom is acctually up to

    AS2914 NTT America, Inc.
    AS3223 Voxility S.R.L.
    AS209 Qwest Communications Company, LLC

Maybe they won't care, but they should. Maybe we can find out if the
notion of peer pressure... or perhaps even de-peer pressure... works
as well in practice as it allegedly does in theory.

Thanks for listening.


Dear Ronald,

Thanks for your report, we'll investigate.

Kind regards,


RIPE or one of dem dere responsible RIRs should hire him.

I got a sales call in a few weeks with NTT, let's see if Job is successful
and then I can be duly impressed and even more interested in their products.

This shit actually matters, sometimes.


A few years back, Ronald named-and-shamed my work's new carrier for facilitating a prefix hijacker on this very list. As luck would have it, I had a fresh, crisp business card from our sales rep, so I passed the (quite legitimate) grievance along, and a short time later, the hijacked prefixes had one less upstream.

Years later now, I have a different job, and a circuit with AS209. I'll see if I can't scare someone up (if it's still active by the time I get into the office).

Thanks Ronald. Rest assured that many of us remember. :slight_smile:


FYI, 85 of the 101 domains listed here are have been picked up by various
spammer domain detection methods in place here. I have no doubt that
the other 16 either will be in due course or simply reflect an inadequacy
in my methods.


Also AS57166 (single upstream AS29632 NetAssist) is likely hijacking
10 ASNs, and AS43659 (currently inactive). Both with mnt-by:

DATASTAR-MNT created 14 autnum and 31 route dummy objects in RIPE, on
resources that looks abandoned (2 of them confirmed hijacking);mnt-domains;mnt-irt;mnt-lower;mnt-nfy;mnt-ref;mnt-routes&bflag=true&source=RIPE#resultsAnchor

Someone actually mentioned these back in Oct

Oops, following up a bit late.

I was told yesterday that AS209 blocked their acceptance of from AS35916 based on a number of complaints, which unfortunately left a path via their peering with NTT (which I presume they can't filter for $reasons). But then a short time later AS35916 withdrew the announcement entirely, possibly because of the traffic engineering implications of that filtering (not sure).

Short-term, it's a win, but long-term we may not have seen the last of this prefix.