One particular large and well-distributed snowshoe spamming operation
became the subject of my special scrutiny recently. After seeing all
of the the various apparently hijacked IP blocks that this particular
snowshoe spamming operation seemed to be relying upon for much of its
IP space, it seemed like the right thing to do for me to report on the
whole mess here.
To begin with here are a couple of files which show the full extent of
this particular rather vast snowshoe operation (including both hijacked
and non-hijacked parts). By my count we are talking in excess of 6,300
separate second-level gTLD domain names.
http://www.47-usc-230c2.org/20110414-snowshoe-1.txt
http://www.47-usc-230c2.org/20110414-snowshoe-2.txt
Dredging into this operation more deeply led me to the following con-
clusions...
Based upon information and belief, the following number resources have
been hijacked, i.e. they either are now, or were in the recent past being
used without proper authorization by a party or parties to whom these
resources were not assigned by any RiR. (Unless otherwise specified
below, these are all ARIN-assigned number resources.)
AS8143 (1)
AS29987 (2)
AS11756 (3) (4)
AS47024 (5)
AS27906 (6)(7)
198.23.32.0/20 - NET-198-23-32-0-1 (8)
198.57.64.0/20 - NET-198-57-64-0-1 (9)
199.88.32.0/20 - NET-199-88-32-0-1 (10)
199.192.16.0/20 - NET-199-192-16-0-1 (11)
199.196.192.0/19 - NET-199-196-192-0-1 (12)
200.107.216.0/21 - GT-AGSA1-LACNIC (13)
204.147.240.0/20 - NET-204-147-240-0-1 (14)
207.22.224.0/19 - (NET-207-22-192-0-1) (15) (16)
Notes