YAY! Re: Atrivo/Intercage: NO Upstream depeer

Hello Mark,

It really seems YOU _DID_ miss the memo.
I think that since no one else is responding to your non-sense, there is no reason for me to either.

If you have something accurate to say, I'll be happy to listen.
Until then, there's not much I can say. There's no sense in repeating myself.


Oh I got the memo, you'll be getting served one soon too.

I just wonder why you don't consider playing both sides of the fence
-- with your
knowledge of who's who in the cyber crime field, you could probably get paid
more as an informant (either to LEO or one of the "Intel" companies than
whatever you're doing for Emil and (allegedly) the RBN. You can't possible
sleep well knowing what your up to now so I figure it's the money that
motivates you.

Or, maybe you don't really know anyone, you just respond to their demands and
they end up with all the money, pr0n chicks, etc. Doesn't that bother
you -- don't
you want more?

Plus, no one would know you were pulling two pay checks -- you manage systems
on one side and pass info to the other. It's actually fairly simple --
maybe you already
know this ;).

If not, please explain this:


Without exception, all of the major security organizations on the
Internet agree that the 'Home' of cybercrime in the western world is a
firm known as Atrivo/Intercage, based in California. We ourselves have
not come to this conclusion lightly but from many years of dealing
with criminal operations hosted by Atrivo/Intercage, gangs of
cybercriminals - mostly Russian and East European but with several US
online crime gangs as well - whose activities always lead back to
servers run by Atrivo/Intercage. We have lost count of the times we
have tracked a major virus botnet's "command and control" to
Atrivo/Intercage servers, readers can view here some of the current
and historic SBL records for Atrivo for a taste of what has been
happening in this network. At almost every Internet security
conference, or law enforcement seminar on cyber-crime, a presentation
will detail some attack, exploit, phish or financial crime that has
some nexus at Atrivo/Intercage.

The person who runs Atrivo/Intercage, Emil Kacperski is an expert at
playing the "surprised janitor", unaware of every new criminal
enterprise found on his servers and keen to show he gets rid of some
criminals once their activities on his network are exposed. His
Internet hosting career first came to the attention of most anti-abuse
organizations when he pinched (or 'purchased stolen goods' as he put
it) and routed an unused block of 65,536 IP addresses belonging to the
County of Los Angeles.

Spamhaus has dealt with over 350 incidents of cyber-crime hosting on
Atrivo/Intercage and its related networks in the last 3 years alone,
all of which involved criminal operations such as malware, virus
spreaders and botnet command and control servers. Malware found by
Spamhaus on Atrivo/Intercage/Cernel/Hostfresh just in the last few
months included the Storm Worm installer and controller and a MySpace
spambot amongst others. Spamhaus currently sees a large amount of
activity related to malicious software and exploits being hosted on
Atrivo/Intercage which include DNS hijack malware, IFRAME browser
attacks, dialers, pirated software websites and blatantly criminal

We assume that every law enforcement agency with a cyber-crimes
division has a dossier bursting at the seams on Atrivo/Intercage and
its tentacles such as Esthost, Estdomains, Cernel, Hostfresh. The only
question on everyone's mind is which agency will beat the others to
shutting the whole place down and indicting the people behind it.
Because if shut down, one thing is certain: the amount of
malware-driven crime on the Internet would drop overnight as
cyber-criminals rush to find a new crime-friendly host - difficult to
find in the US, as Atrivo/Intercage is one of the very few remaining
dedicated crime hosting firms whose customer base is composed almost,
or perhaps entirely, of criminal gangs. More importantly, millions of
Internet users currently being targeted by the malware gangs operating
from Atrivo/Intercage will be, for a while, safer.

Perhaps one may be wondering about the costs of hosting at
Atrivo/Intercage or how to sign up? Well, don't expect to find this
information at the company's websites as they were empty for years and
for the last year have just shown "Website Coming Soon."

    http://www.atrivo.com => "InterCage, Inc. INTENSE SERVERS. Website
Coming Soon:"
    Last Updated: Thursday, September 06, 2007 4:32:59 PM

    http://www.intercage.com => "InterCage, Inc. INTENSE SERVERS.
Website Coming Soon:"
    Tuesday, September 04, 2007 6:45:52 PM

At one time after being asked, "how on earth does your company get
business?" an Atrivo/Intercage representative coyly said, "by word of
mouth." That seems to be quite obvious.


Thanks to the efforts of the people on this list, you've known
Estdomains/Esthost was bad news for several weeks or more.

Why are you only now shutting them down?

Thank you for proving that our research was not for naught, and that
Atrivo/Intercage is a black hat operation which needs to be
permanently disconnected from the Internet at all costs.

Drive Slow,
Paul Wall


Thanks to the efforts of the people on this list, you've known
Estdomains/Esthost was bad news for several weeks or more.

[root@control ~]# dig estdomains.com

; <<>> DiG 9.5.0-P2 <<>> estdomains.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2970
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;estdomains.com. IN A

estdomains.com. 86400 IN A

inetnum: -
netname: NL-ECATEL-20080829
descr: Ecatel LTD
country: NL
org: ORG-EL38-RIPE
admin-c: RvE16-RIPE
tech-c: RvE16-RIPE
mnt-lower: ECATEL-MNT
mnt-routes: ECATEL-MNT
source: RIPE # Filtered

person: Reinier van Eeden
address: Archangelkade 1-3
address: 1013 BE Amsterdam
mnt-by: IQARUS-MNT
e-mail: r.eeden@nl.iqarus.com
phone: +31 64 607 11 12
nic-hdl: RvE16-RIPE
source: RIPE # Filtered

The same guys were hosting several ROKSO spammers in 2006 allready. This smells badly!

Earlier this year they had also this one (also ROKSO)


The company that Reinier was with was called Icarus earlier, does that ring a bell? 3 of the top 10 ROKSO spammers were hosted there. This is more then just a normal shining.


Thanks to the efforts of the people on this list, you've known
Estdomains/Esthost was bad news for several weeks or more.

Why are you only now shutting them down?

"several weeks"? Try "several years". And do note the rationale
(below) for the refusal to shut them down.