Mailing List Archive

RE: Atrivo/Intercage
Just to add my $0.02 to this discussion and a disclaimer - I've known
Emil for years, I've seen his shop and even the controversy.
200 Paul is a small community, and most of the folks in there know
eachother, I've been in there since 2001 or so.

Intercage is not a big shop, there are very few people involved in running
it and I have a very hard time believing the accusations made by some
of the folks around. I also don't believe Intercage was complicit in any
net-crime; Thats not to say it didn't exist, but more along the lines
of they got lost in the noise of running a business. I'd guess that
given the server volume they've got, abuse emails are less than one percent
of all the email they get in a week. From what I've seen, the bulk of their
customer base is webhosters, Unix Shell providers and some video/audio
streamers. Were I to venture a guess on the number of folks reselling
those webservers, its probably on the order of thousands...

Any time I've had an issue with one of Atrivo's customers, it only took
one email to get it dealt with, or I got Emil on IM or on the phone and
it was taken care of.

My experience with being on the other end of abuse@, I'd say a good
60-75% of the complaints I saw coming in were bogus. Either people
complaining about their ZoneAlarm's going off, people complaining
about bounced emails with spam and a bunch of automated stuff that was
always wrong. The legit complaints were not always easy to deal with
either since a good 20-30% of them were unclear on what was actually wrong
until you spent some time digging.

Basically is what it boils down to for me - its easy to blame
an NSP/ISP/Hoster for what their clients do, it takes real dedication to
find out whats *actually* going on.

--
Tom Sparks
(415) 367-7328x1001
Re: Atrivo/Intercage [ In reply to ]
On Sep 22, 2008, at 4:33 PM, Tom Sparks (Applied Operations) wrote:

>
> Intercage is not a big shop, there are very few people involved in
> running
> it



I have no dog in this fight, but I would comment on the "small shop"
issue as it relates to handling abuse complaints.

I own a small colo/hosting shop too. We don't have many employees.
If we had to deal with so many abuse complaints that things were
"getting lost in the noise", I'd have to seriously examine my AUP and
associated enforcement policies, add staff to handle abuse issues, or
both. Being small isn't an excuse. In fact, a small shop that runs a
clean network should be far better at handling abuse issues than the
larger players could ever hope to be.
Re: Atrivo/Intercage [ In reply to ]
On Sep 22, 2008, at 4:33 PM, Tom Sparks (Applied Operations) wrote:

> Basically is what it boils down to for me - its easy to blame
> an NSP/ISP/Hoster for what their clients do, it takes real
> dedication to
> find out whats *actually* going on.

Tom,

Atrivo is not just a spammer, and Intercage has _not_ "taken care of"
problems - unless you count moving IP addresses around as "taking care
of" things. I'm sure the people downloading child pr0n or hosting
virus / C&C servers were very inconvenienced from having to change a
hostname. Pardon me if I am incredulous. And not because we were not
dedicated in trying to find out what was *actually* going on. Try
reading up on your friend before accusing the community of not doing
due diligence.

And don't give me any BS about not reading his abuse@ mail.


Eventually ignorance (willful ignorance?) in the service of evil
becomes indistinguishable from malice.

Basically, THAT is what it boils down to for me, and apparently
everyone else as well.

--
TTFN,
patrick
Re: Atrivo/Intercage [ In reply to ]
On Mon, Sep 22, 2008 at 04:48:16PM -0400, Drew Linsalata wrote:
> I have no dog in this fight, but I would comment on the "small shop"
> issue as it relates to handling abuse complaints.
>
> I own a small colo/hosting shop too. We don't have many employees.
> If we had to deal with so many abuse complaints that things were
> "getting lost in the noise"

Perhaps I should clarify - Abuse complaints being a small percentage
of normal requests for service (IE: I need a new hdd, an OS reinstalled)
I would agree that anyone beseiged in abuse requests should take a
machete to the offending customer's cables :)

--
Tom Sparks
(415) 367-7328x1001
Re: Atrivo/Intercage [ In reply to ]
So... apparently AS27595 is back on the air, with aspath's like:

6461 23342 27595
6539 23342 27595
8075 23342 27595

23342 == UnitedLayer, Tom isn't that you or is that another Tom I'm remembering?

-Chris
Re: Atrivo/Intercage [ In reply to ]
On Mon, Sep 22, 2008 at 5:17 PM, Christopher Morrow
<morrowc.lists@gmail.com> wrote:
> So... apparently AS27595 is back on the air, with aspath's like:
>
> 6461 23342 27595
> 6539 23342 27595
> 8075 23342 27595
>
> 23342 == UnitedLayer, Tom isn't that you or is that another Tom I'm remembering?

ah! someone reminded me that Tom left UL :( but at least I was
remembering the right tom :)
Re: Atrivo/Intercage [ In reply to ]
On Mon, Sep 22, 2008 at 05:17:42PM -0400, Christopher Morrow wrote:
> So... apparently AS27595 is back on the air, with aspath's like:
> 6461 23342 27595
> 6539 23342 27595
> 8075 23342 27595
>
> 23342 == UnitedLayer, Tom isn't that you or is that another
> Tom I'm remembering?

Yep, same Tom, I was one of the founders of UnitedLayer.
I haven't been there since 2006, so its not my doing.

I also noticed AS paths like this:
* 69.22.162.0/23 701 2914 32335 6461 23342 27595 i

I'm not sure whats going on there, but I'm thinking someone needs some help :)

--
Tom Sparks
(415) 367-7328x1001
Re: Atrivo/Intercage [ In reply to ]
On Mon, Sep 22, 2008 at 5:25 PM, Tom Sparks (Applied Operations)
<tsparks@appliedops.net> wrote:
> On Mon, Sep 22, 2008 at 05:17:42PM -0400, Christopher Morrow wrote:
>> So... apparently AS27595 is back on the air, with aspath's like:
>> 6461 23342 27595
>> 6539 23342 27595
>> 8075 23342 27595
>>
>> 23342 == UnitedLayer, Tom isn't that you or is that another
>> Tom I'm remembering?
>
> Yep, same Tom, I was one of the founders of UnitedLayer.
> I haven't been there since 2006, so its not my doing.
>

yup, didn't particularly mean it was 'your doing' (even if you were
there) but that perhaps (if you were still there) you might be able to
influence the ops folks some... if you thought it worthy.

> I also noticed AS paths like this:
> * 69.22.162.0/23 701 2914 32335 6461 23342 27595 i
>
> I'm not sure whats going on there, but I'm thinking someone needs some help :)
>

yea I suspect that's a history route (or PIE re-opened the links
between PIE/Atrivo). Or... Abovenet & PIE & NTT aren't filtering their
customers in a way that keeps PIE form providing transit to NTT for
Abovenet :( (NTT says loud and long they filter based on IRR data, PIE
might not have updated their IRR info?)

wierd though.
Re: Atrivo/Intercage [ In reply to ]
On Mon, Sep 22, 2008 at 5:48 PM, Christopher Morrow
<morrowc.lists@gmail.com> wrote:
> On Mon, Sep 22, 2008 at 5:25 PM, Tom Sparks (Applied Operations)
> <tsparks@appliedops.net> wrote:
>> I also noticed AS paths like this:
>> * 69.22.162.0/23 701 2914 32335 6461 23342 27595 i
>>
>> I'm not sure whats going on there, but I'm thinking someone needs some help :)
>>
>
> yea I suspect that's a history route (or PIE re-opened the links
> between PIE/Atrivo). Or... Abovenet & PIE & NTT aren't filtering their
> customers in a way that keeps PIE form providing transit to NTT for
> Abovenet :( (NTT says loud and long they filter based on IRR data, PIE
> might not have updated their IRR info?)
>
> wierd though.
>

actually, I think PIE sees this route from 6461 and passes it along
probably because they didn't update the filters on their sessions when
they dropped the links to 27595 :( Also they didn't update the IRR
data to remove this set of prefixes.

bummers.
Re: Atrivo/Intercage [ In reply to ]
On Mon, Sep 22, 2008 at 05:50:58PM -0400, Christopher Morrow wrote:
> actually, I think PIE sees this route from 6461 and passes it along
> probably because they didn't update the filters on their sessions when
> they dropped the links to 27595 :(

Has anyone actually confirmed that the link is dropped with PIE?

> Also they didn't update the IRR data to remove this set of prefixes.

Looks like they've got all kindsa stuff in there...

--
Tom Sparks
(415) 367-7328x1001
Re: Atrivo/Intercage [ In reply to ]
> On Sep 22, 2008, at 4:33 PM, Tom Sparks (Applied Operations) wrote:
> > Intercage is not a big shop, there are very few people involved in
> > running it
>
> I have no dog in this fight, but I would comment on the "small shop"
> issue as it relates to handling abuse complaints.
>
> I own a small colo/hosting shop too. We don't have many employees.
> If we had to deal with so many abuse complaints that things were
> "getting lost in the noise", I'd have to seriously examine my AUP and
> associated enforcement policies, add staff to handle abuse issues, or
> both. Being small isn't an excuse. In fact, a small shop that runs a
> clean network should be far better at handling abuse issues than the
> larger players could ever hope to be.

I would have to agree with this latter bit. We count incidents per YEAR.
On a hand. Mostly because we haven't made a habit of accepting random
clients, I guess, but were it a problem, it would be made not to be.

Being proactive is a big part of this. For example, when ARIN began to
allow abuse contacts for IP space, we fairly quickly registered a POC
for it.

... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
Re: Atrivo/Intercage [ In reply to ]
http://www.giantitp.com/comics/oots0595.html

I think that sums up this thread.


On Tue, 23 Sep 2008, Joe Greco wrote:

>> On Sep 22, 2008, at 4:33 PM, Tom Sparks (Applied Operations) wrote:
>>> Intercage is not a big shop, there are very few people involved in
>>> running it
>>
>> I have no dog in this fight, but I would comment on the "small shop"
>> issue as it relates to handling abuse complaints.
>>
>> I own a small colo/hosting shop too. We don't have many employees.
>> If we had to deal with so many abuse complaints that things were
>> "getting lost in the noise", I'd have to seriously examine my AUP and
>> associated enforcement policies, add staff to handle abuse issues, or
>> both. Being small isn't an excuse. In fact, a small shop that runs a
>> clean network should be far better at handling abuse issues than the
>> larger players could ever hope to be.
>
> I would have to agree with this latter bit. We count incidents per YEAR.
> On a hand. Mostly because we haven't made a habit of accepting random
> clients, I guess, but were it a problem, it would be made not to be.
>
> Being proactive is a big part of this. For example, when ARIN began to
> allow abuse contacts for IP space, we fairly quickly registered a POC
> for it.
>
> ... JG
> --
> Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
> "We call it the 'one bite at the apple' rule. Give me one chance [and] then I
> won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
> With 24 million small businesses in the US alone, that's way too many apples.
>
Re: Atrivo/Intercage [ In reply to ]
On Sep 22, 2008, at 1:33 PM, Tom Sparks (Applied Operations) wrote:
> I also don't believe Intercage was complicit in any
> net-crime; Thats not to say it didn't exist, but more along the lines
> of they got lost in the noise of running a business.

Which is not acceptable. You answer your abuse complaints, you shut
down your spammers. Period, end of subject.

--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
Re: Atrivo/Intercage [ In reply to ]
> On Sep 22, 2008, at 1:33 PM, Tom Sparks (Applied Operations) wrote:
> > I also don't believe Intercage was complicit in any
> > net-crime; Thats not to say it didn't exist, but more along the lines
> > of they got lost in the noise of running a business.
>
> Which is not acceptable. You answer your abuse complaints, you shut
> down your spammers. Period, end of subject.

That's a bit '90's. I'll settle for s/answer/handle/, because I don't
think that most sites are willing to actually discuss abuse issues with
random folks submitting complaints, and so that leaves you with either
sending a form letter of some sort, or not saying anything. Further,
many places seem to send form letters but not do anything. I am not
sure that there is much (or any) value-add in sending a response, unless
further information is needed.

>From my point of view, the best response is when the problem simply goes
away. A personal reply (rather than a form letter) is also generally a
really good sign that someone cares enough to show that they're doing
something, but again that seems to be the exception rather than the
norm. The Afterburner experience, however, should be an excellent
example for the difference that simply *showing* you care and are doing
something makes.

... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
Re: Atrivo/Intercage [ In reply to ]
On Sep 23, 2008, at 8:12 PM, Joe Greco wrote:
>> Which is not acceptable. You answer your abuse complaints, you shut
>> down your spammers. Period, end of subject.
>
> That's a bit '90's. I'll settle for s/answer/handle/, because I don't
> think that most sites are willing to actually discuss abuse issues
> with
> random folks submitting complaints, and so that leaves you with either
> sending a form letter of some sort, or not saying anything.

I went out of my way to get it written into our customer contract that
we can discuss abuse issues with the affected parties.

And I am simply an employee, neither an executive nor an owner, so
this took a bit of doing. But it has given me great pleasure the few
times that we made a mistake with a customer, and I got to tell the
affected parties that the abuser is now homeless ;-)

--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
Re: Atrivo/Intercage [ In reply to ]
Tom Sparks (Applied Operations) wrote:
> Basically is what it boils down to for me - its easy to blame
> an NSP/ISP/Hoster for what their clients do, it takes real dedication to
> find out whats *actually* going on.
>
We did, and now we're solving the problem.

Andrew
Re: Atrivo/Intercage [ In reply to ]
--- trelane@trelane.net wrote:
From: Andrew D Kirch <trelane@trelane.net>

> Basically is what it boils down to for me - its
> easy to blame an NSP/ISP/Hoster for what their
> clients do, it takes real dedication to find out
> whats *actually* going on.

: We did, and now we're solving the problem.
------------------------------------------



Apparently, this is what's going on. Making money at the expense of everyone else on the internet:

---------------------------
> If I had the ability... I would cut Esthost as a
> client... But, in doing so, it causes nearly a
> quarter if not half of the company's monthly
> revenue to be cut. That is not too good of a move
> nor reasonably possible ;)
>
> People consider Atrivo/InterCage to be some abuse
> supporting company...
>
> If only any of you knew what the position would be
> in a company our size.
>
> It's not as easy as you believe it to be ;)
>
> Russell Mitchell - Russ[at]Atrivo.com
> Atrivo Technologies
------------------------------


scott
Re: Atrivo/Intercage [ In reply to ]
Hi,

On Wed, 2008-09-24 at 07:06 -0700, Scott Weeks wrote:
> --- trelane@trelane.net wrote:
> From: Andrew D Kirch <trelane@trelane.net>
>
> > Basically is what it boils down to for me - its
> > easy to blame an NSP/ISP/Hoster for what their
> > clients do, it takes real dedication to find out
> > whats *actually* going on.
>
> : We did, and now we're solving the problem.
> ------------------------------------------
>
>
>
> Apparently, this is what's going on. Making money at the expense of everyone else on the internet:
>
> ---------------------------
> > If I had the ability... I would cut Esthost as a
> > client... But, in doing so, it causes nearly a
> > quarter if not half of the company's monthly
> > revenue to be cut. That is not too good of a move
> > nor reasonably possible ;)
> >
> > People consider Atrivo/InterCage to be some abuse
> > supporting company...
> >
> > If only any of you knew what the position would be
> > in a company our size.
> >
> > It's not as easy as you believe it to be ;)
> >
> > Russell Mitchell - Russ[at]Atrivo.com
> > Atrivo Technologies
> ------------------------------
>
>

Esthost (the main problem) is actually cut off as of this morning. So
actually, they are taking steps to fix the problem.

However, as we all know, there is the real story, and then there is the
NANOG story. We should keep this all in mind, Intercage are actually
trying hard to clean up their network, and now is the time to stop with
the whining and actually help them identify the problems.

Esthost is a tricky situation because it is a significant portion of
their income... but they are offline. I would be reluctant to cut them
off too if I were in their position... not because it's the right thing
to do, but because they are such a large client that I might not be able
to pay the bills at the end of the month. If you were in their position,
wouldn't you have concerns about terminating ANY source of income that
is that large too?

That said, they should have dropped Esthost before it got that big, but
they didn't. People make bad choices, but for fucks sake, lets move on
already.

I have also noticed that most of the people doing the whining aren't
even the people who are tracking the problem. Again, a case of the NANOG
story verses the real story...

William
Re: Atrivo/Intercage [ In reply to ]
Hi,

On Wed, 2008-09-24 at 17:54 -0700, Scott Weeks wrote:
>
> --- nenolod@systeminplace.net wrote:
> I have also noticed that most of the people doing the whining aren't
> even the people who are tracking the problem. Again, a case of the NANOG
> story verses the real story...
> --------------------------------------
>
>
>
> I didn't whine.

No, but others have, and it isn't helpful towards resolving this
problem.

Ultimately, neither is forcing them off the internet. Well, in
actuality, that resolves part of the problem, but I suspect that a lot
of the affected cybercrime has moved to other networks by now... so in
reality the real problem isn't solved (except that the problem is mostly
being moved away from Intercage). And shutting down ISPs who host these
guys will solve nothing either. They will jump providers until the end
of time.

The solution here is to go after the *people* who make this crap. They
*are* breaking the law and we have the proof.

William
Re: Atrivo/Intercage [ In reply to ]
On Wed, Sep 24, 2008 at 9:50 PM, William Pitcock
<nenolod@systeminplace.net> wrote:

> The solution here is to go after the *people* who make this crap. They
> *are* breaking the law and we have the proof.

agreed... but keep in mind 'breaking the law' is relative... So, CP is
illegal in the US, but maybe not where it was made (CP's not the best
example of course because it lives in a wierd place in everyone's
laws)... how about simple hacking? that's illegal in the US (mostly,
depending on what's being done) but not in other places, and perhaps
not if committed outside the local jurisdiction(s).

-Chris
Re: Atrivo/Intercage [ In reply to ]
Christopher Morrow wrote:
> On Wed, Sep 24, 2008 at 9:50 PM, William Pitcock
> <nenolod@systeminplace.net> wrote:
>
>> The solution here is to go after the *people* who make this crap. They
>> *are* breaking the law and we have the proof.
>
> agreed... but keep in mind 'breaking the law' is relative... So, CP is
> illegal in the US, but maybe not where it was made (CP's not the best
> example of course because it lives in a wierd place in everyone's
> laws)... how about simple hacking? that's illegal in the US (mostly,
> depending on what's being done) but not in other places, and perhaps
> not if committed outside the local jurisdiction(s).

Apprehending criminals is the Law's job.

My job is making sure they don't deal that sh*t in MY parkinglot.
Re: Atrivo/Intercage [ In reply to ]
On Wed, 24 Sep 2008, William Pitcock wrote:
> No, but others have, and it isn't helpful towards resolving this
> problem.
>
> Ultimately, neither is forcing them off the internet. Well, in
> actuality, that resolves part of the problem, but I suspect that a lot
> of the affected cybercrime has moved to other networks by now... so in
> reality the real problem isn't solved (except that the problem is mostly
> being moved away from Intercage). And shutting down ISPs who host these
> guys will solve nothing either. They will jump providers until the end
> of time.

The fear is evolution in technological advancement they may make rather
than just where they will scatter to, but that is a solid point. Still, we
have seen in the past that they evolve regardless. The future will tell
whether this was a foolishness, or a step in the right directions.

> The solution here is to go after the *people* who make this crap. They
> *are* breaking the law and we have the proof.

I couldn't agree more. Unfortunately, that isn't happening. Whethr I like
it or not there are two layers of attackers. The initiator, and the proxy.
The proxy is on networks, and networks we can reach out to.

Gadi.

>
> William
>
>
Re: Atrivo/Intercage [ In reply to ]
On Wed, Sep 24, 2008 at 07:12:31PM -0500, William Pitcock wrote:
> That said, they should have dropped Esthost before it got that big, but
> they didn't.

Didn't you notice that the quoted material was from *three years ago*?

And this problem didn't begin three years ago, either. For example:


> From furioun@spin.it Fri Dec 5 09:53:14 EST 2003
> Article: 1141964 of news.admin.net-abuse.email
> From: furio ercolessi <furioea@spin.it>
> Newsgroups: news.admin.net-abuse.email
> Subject: AS27595 (Atrivo) here no more
> Date: 5 Dec 2003 09:29:30 GMT
> Organization: Spin Internetworking
> Message-ID: <bqpj5q$6ra$1@half.spin.it>
> Reply-To: furioun@spin.it
> NNTP-Posting-Host: photon.spin.it
>
> After several months of spam support including routing of hijacked IP
> blocks, without apparent traces of non-abuse related IP traffic, our
> backbone is now stopping the exchange of IP packets with AS27595,
> currently announcing the following blocks:
>
> Network DNSBL Upstreams
> --------------- ----- ------------------
> 65.124.21.0/24 4474
> 66.250.145.0/24 S2489 22934
> 67.130.99.0/24 4474
> 69.1.78.0/24 S2783 4474, 22934
> 69.31.64.0/20 S2453 4474
> 69.31.76.0/22 S2453 4474, 30371
> 69.50.160.0/20 S2489 4474, 22934, 30371
> 69.50.176.0/20 S2489 4474, 22934, 30371
>
> AS4474 Global Village Communication, Inc.
> AS22934 E Broadband Now Inc.
> AS30371 nLayer Communications, Inc.
>
> We are currently considering an extension of this measure to the
> three entities above, which also seem to appear repeatedly in connection
> with network abuses and with very little, if any, legitimate traffic
> with our customers.
>
> furio ercolessi
> Spin.it

---Rsk
Re: Atrivo/Intercage [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Sep 24, 2008 at 7:02 PM, Laurence F. Sheldon, Jr.
<LarrySheldon@cox.net> wrote:

>
> Apprehending criminals is the Law's job.
>
> My job is making sure they don't deal that sh*t in MY parkinglot.
>

Exactly.

It could be argued (since _is_ the North American Network Operators Group)
that pushing this sort of criminal activity _out_ of North America is a
good First Step.... to be able to better manage the situation.

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFI2vKTq1pz9mNUZTMRAhK3AJ41SKDLnteNVSqjoNlLDMNutY3sNACgu3O8
EZT2NSbpVvHcd7XRgjBAAQA=
=bmQI
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawgster(at)gmail.com
ferg's tech blog: http://fergdawg.blogspot.com/
Re: Atrivo/Intercage [ In reply to ]
--- nenolod@systeminplace.net wrote:
From: William Pitcock <nenolod@systeminplace.net>

> I didn't whine.

No, but others have, and it isn't helpful towards resolving this
problem.
----------------------------------------


I also wrote you that in private, but you decided to make it public without asking me. That type of action makes your position less valid.

scott

1 2  View All