[108116] in North American Network Operators' Group
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
daemon@ATHENA.MIT.EDU (Russell Mitchell)
Wed Sep 24 03:45:54 2008
Date: Wed, 24 Sep 2008 00:45:37 -0700 (PDT)
From: Russell Mitchell <russm2k8@yahoo.com>
To: Mark Foo <mark.foo.dog@gmail.com>
Cc: nanog@nanog.org, Christopher Morrow <christopher.morrow@gmail.com>,
Joe Greco <jgreco@ns.sol.net>
Errors-To: nanog-bounces@nanog.org
Hello Mark,=0A=0AIt=A0really seems=A0YOU _DID_ miss the memo.=0AI think tha=
t=A0since no one else is responding to your non-sense, there is no reason f=
or me to either.=0A=0AIf you have something accurate=A0to say, I'll be happ=
y to listen.=0AUntil then, there's not much I can say. There's no sense in =
repeating myself.=0A=A0---=0ARussell Mitchell=0A=0AInterCage, Inc.=0A=0A=0A=
=0A----- Original Message ----=0AFrom: Mark Foo <mark.foo.dog@gmail.com>=0A=
To: Russell Mitchell <russm2k8@yahoo.com>=0ACc: Bruce Williams <williams.br=
uce@gmail.com>; Christopher Morrow <christopher.morrow@gmail.com>; nanog@na=
nog.org; Joe Greco <jgreco@ns.sol.net>=0ASent: Wednesday, September 24, 200=
8 12:27:50 AM=0ASubject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer=
=0A=0ARussell:=0A=0AFerg was just being coy -- what you don't understand is=
there are about 3 other=0Asecurity mailing lists plotting to TAKE YOUR SER=
VICE DOWN. You FAIL. Law=0AEnforcement might not take action against you (b=
ut appear to be interested now),=0Abut the community can. GET OFF THE NET W=
ITH YOUR MALWARE!=0A=0AYou mistake me for someone who believes you pack of =
lies! Don't you=0Aunderstand each=0Atime you post to this list gives those =
of us who know the opportunity=0Ato post MORE EVIDENCE=0Aof your MALWARE?=
=0A=0AYou disconnected Hostfresh and think that's the extent of your cimes?=
=0AGimme a break.=0AOnly those who are easily socially engineered would bel=
ieve your=0Apathetic claims of innocence.=0AYou've BEEN HOSTING MALWARE sin=
ce 2003 -- SEE Nanog post:=0A=0ARe: The in-your-face hijacking example=0Aht=
tp://www.irbs.net/internet/nanog/0305/0038.html=0A=0A> Let me know if there=
's anything else you'd like me to state to the public.=0A=0AAnswer Ferg's q=
uestion -- Why are you moving to CERNAL? Do you think this=0Ais going to wo=
rk? That's just another of Emil's networks.=0A=0A> We're on a rocky road ri=
ght now. But it IS starting to smooth out.=0A=0AThat's just the calm before=
the storm.=0A=0AGo ahead and post a response to each of these allegations:=
=0A=0ACybercrime's US Hosts=0Ahttp://www.spamhaus.org/news.lasso?article=3D=
636=0A=0AReport Slams U.S. Host as Major Source of Badware=0Ahttp://voices.=
washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.html?n=
av=3Drss_blog=0A=0AA Superlative Scam and Spam Site Registrar=0Ahttp://voic=
es.washingtonpost.com/securityfix/2008/09/estdomains.html?nav=3Drss_blog=0A=
=0AICANN cast as online scam enabler=0Ahttp://www.theregister.co.uk/2008/09=
/03/cyber_crime_reports/=0A=0A'Malware-friendly' Intercage back with the li=
ving=0Ahttp://www.theregister.co.uk/2008/09/24/intercage_back_online/=0A=0A=
=0A=0A=0A=0A=0A=0A=0AOn Tue, Sep 23, 2008 at 11:50 PM, Russell Mitchell <ru=
ssm2k8@yahoo.com> wrote:=0A>=0A> Hello John Doe,=0A>=0A> I welcome any furt=
her comments you have.=0A> We have to get past people such as yourself, and=
your blasphemous and false statements.=0A>=0A> This is the same issue with=
the recent media and self-proclaimed "Security Researchers". Fly-by-night =
mind you.=0A>=0A> To help you out in your claims:=0A> Yes, we did house a c=
lient whom had quite a run with their client's from various locations, such=
as Russia.=0A> That Client is no longer hosted on our network. I myself sp=
ent all of monday afternoon, night, and tuesday morning shutting off EVERY =
machine they had leased in our Billing System. I'm currently working to sca=
n further and see if there's anything I may have missed.=0A>=0A> Yes, Russi=
a is very well known for Virus and Malware writer's.=0A>=0A> Yes, we have h=
ad issues with malware distribution from our network.=0A> This was directly=
and near singularly related to the former client of ours. We did have anot=
her client, Hostfresh, whom had their share of malware issues.=0A>=0A> Both=
have been completely and effectively removed. The server's leased to both =
of them have been canceled, and their machines have been shutoff.=0A>=0A> L=
et me know if there's anything else you'd like me to state to the public.=
=0A> We're on a rocky road right now. But it IS starting to smooth out.=0A>=
=0A> Thank you for your time. Have a great day.=0A>=A0 ---=0A> Russell Mitc=
hell=0A>=0A> InterCage, Inc.=0A>=0A>=0A>=0A> ----- Original Message ----=0A=
> From: Mark Foo <mark.foo.dog@gmail.com>=0A> To: Bruce Williams <williams.=
bruce@gmail.com>=0A> Cc: Christopher Morrow <christopher.morrow@gmail.com>;=
nanog@nanog.org; Joe Greco <jgreco@ns.sol.net>=0A> Sent: Tuesday, Septembe=
r 23, 2008 11:08:21 PM=0A> Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstr=
eam depeer=0A>=0A> NANOG:=0A>=0A> Look, the people posting here who are tra=
shing Intercage are pure security=0A> analysts -- they=0A> know and underst=
and the evil that is Intercage. STOP TRYING TO ASSIST=0A> INTERCAGE=0A> -- =
you are effectively aiding and abetting the enemy.=0A>=0A> Intercage/Atrivo=
hosts the malware c&c botnets that DDoS your systems and=0A> networks.=0A>=
=0A> Intercage/Atrivo hosts the spyware that compromises your users' passwo=
rds.=0A>=0A> Intercage/Atrivo hosts the adware that slows your customers' m=
achines.=0A>=0A> Don't take my word for it, DO YOUR OWN RESEARCH:=0A> http:=
//www.google.com/search?hl=3Den&q=3Dintercage+malware=0A>=0A> You don't get=
called the ***American RBN*** for hosting a couple bad=0A> machines. They=
=0A> have and will continue to host much of the malware pumped out of Ameri=
ca.=0A> THEY=0A> ARE NOT YOUR COMRADES..=0A>=0A> These people represent the=
most HIGHLY ORGANZIED CRIME you will ever=0A> come across. Most people wer=
e afraid to speak out against them until this=0A> recent ground swell.=0A>=
=0A> This is the MALWARE CARTEL. GET THE PICTURE?=0A>=0A> Many links have b=
een posted here that prove this already -- instead of=0A> asking=0A> what c=
ustomers they cut off, let them show WHAT CUSTOMERS ARE LEGIT--=0A> because=
there are NONE.=0A>=0A>=0A>=0A>=0A>=0A> > >> I would suggest a different S=
tep 1.=A0 Instead of killing power, simply=0A> > >> isolate the affected ma=
chine.=A0 This might be as simple as putting up a=0A> > >> firewall rule or=
two, if it is simply sending outgoing SMTP spam, or=0A> > > it's probably =
easiest (depending on the network gear of course) to=0A> > > just put the l=
an port into an isolated VLAN. It's not the 100%=0A> > > solution (some bad=
ness rm's itself once it loses connectivity to the=0A> > > internets) but i=
t'd make things simpler for the client/LEA when they=0A> > > need to figure=
out what happened.=0A> > >=0A> > > -chris=0A> > >=0A> > >=0A> >=0A> >=0A>=
=0A>=0A>=0A>=0A>=0A=0A=0A=0A
