[108119] in North American Network Operators' Group
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
daemon@ATHENA.MIT.EDU (Russell Mitchell)
Wed Sep 24 04:29:31 2008
Date: Wed, 24 Sep 2008 01:29:03 -0700 (PDT)
From: Russell Mitchell <russm2k8@yahoo.com>
To: Mark Foo <mark.foo.dog@gmail.com>
Cc: nanog@nanog.org, Christopher Morrow <christopher.morrow@gmail.com>,
Joe Greco <jgreco@ns.sol.net>
Errors-To: nanog-bounces@nanog.org
Hello Mark,=0A=0AWhat's YOUR motivation to consistantly attack my company?=
=0A=0AWhat's my motivation to continue working @ InterCage?=0ATo keep a roo=
f over=A0my family's heads, and to keep them well-fed:=0A1.) Myself=0A2.) M=
y Wife=0A3.) My near 2 year old=A0Son (November)=0A4.) My near 3 week old D=
aughter (Born Sept. 4th)=0A=0AIt's great that you finally accepted the clai=
m of InterCage being associated with the famed "RBN" as being "alledged".=
=0AYou've taken the first step into seeing how much BS information has been=
spread out about our company.=0A=0AWhether you support me in my anti-abuse=
endeavor or not, as long as you get FACTUAL information, I'm happy.=0AHowe=
ver someday, I trust you will find and accept the truth about InterCage. Fr=
om what I see now from the claims your making, that day may not come soon.=
=0A=0AThank you for your time. Have=A0a great day.=0A=A0---=0ARussell Mitch=
ell=0A=0AInterCage, Inc.=0A=0A----- Original Message ----=0AFrom: Mark Foo =
<mark.foo.dog@gmail.com>=0ATo: Russell Mitchell <russm2k8@yahoo.com>=0ACc: =
Bruce Williams <williams.bruce@gmail.com>; Christopher Morrow <christopher.=
morrow@gmail.com>; nanog@nanog.org; Joe Greco <jgreco@ns.sol.net>=0ASent: W=
ednesday, September 24, 2008 1:14:01 AM=0ASubject: Re: YAY! Re: Atrivo/Inte=
rcage: NO Upstream depeer=0A=0ARussell:=0A=0AOh I got the memo, you'll be g=
etting served one soon too.=0A=0AI just wonder why you don't consider playi=
ng both sides of the fence=0A-- with your=0Aknowledge of who's who in the c=
yber crime field, you could probably get paid=0Amore as an informant (eithe=
r to LEO or one of the "Intel" companies than=0Awhatever you're doing for E=
mil and (allegedly) the=A0 RBN. You can't possible=0Asleep well knowing wha=
t your up to now so I figure it's the money that=0Amotivates you.=0A=0AOr, =
maybe you don't really know anyone, you just respond to their demands and=
=0Athey end up with all the money, pr0n chicks, etc. Doesn't that bother=0A=
you -- don't=0Ayou want more?=0A=0APlus, no one would know you were pulling=
two pay checks -- you manage systems=0Aon one side and pass info to the ot=
her. It's actually fairly simple --=0Amaybe you already=0Aknow this ;).=0A=
=0AIf not, please explain this:=0A=0Ahttp://www.spamhaus.org/news.lasso?art=
icle=3D636=0A=0AWithout exception, all of the major security organizations =
on the=0AInternet agree that the 'Home' of cybercrime in the western world =
is a=0Afirm known as Atrivo/Intercage, based in California. We ourselves ha=
ve=0Anot come to this conclusion lightly but from many years of dealing=0Aw=
ith criminal operations hosted by Atrivo/Intercage, gangs of=0Acybercrimina=
ls - mostly Russian and East European but with several US=0Aonline crime ga=
ngs as well - whose activities always lead back to=0Aservers run by Atrivo/=
Intercage. We have lost count of the times we=0Ahave tracked a major virus =
botnet's "command and control" to=0AAtrivo/Intercage servers, readers can v=
iew here some of the current=0Aand historic SBL records for Atrivo for a ta=
ste of what has been=0Ahappening in this network. At almost every Internet =
security=0Aconference, or law enforcement seminar on cyber-crime, a present=
ation=0Awill detail some attack, exploit, phish or financial crime that has=
=0Asome nexus at Atrivo/Intercage.=0A=0AThe person who runs Atrivo/Intercag=
e, Emil Kacperski is an expert at=0Aplaying the "surprised janitor", unawar=
e of every new criminal=0Aenterprise found on his servers and keen to show =
he gets rid of some=0Acriminals once their activities on his network are ex=
posed. His=0AInternet hosting career first came to the attention of most an=
ti-abuse=0Aorganizations when he pinched (or 'purchased stolen goods' as he=
put=0Ait) and routed an unused block of 65,536 IP addresses belonging to t=
he=0ACounty of Los Angeles.=0A=0ASpamhaus has dealt with over 350 incidents=
of cyber-crime hosting on=0AAtrivo/Intercage and its related networks in t=
he last 3 years alone,=0Aall of which involved criminal operations such as =
malware, virus=0Aspreaders and botnet command and control servers. Malware =
found by=0ASpamhaus on Atrivo/Intercage/Cernel/Hostfresh just in the last f=
ew=0Amonths included the Storm Worm installer and controller and a MySpace=
=0Aspambot amongst others. Spamhaus currently sees a large amount of=0Aacti=
vity related to malicious software and exploits being hosted on=0AAtrivo/In=
tercage which include DNS hijack malware, IFRAME browser=0Aattacks, dialers=
, pirated software websites and blatantly criminal=0Aservices.=0A=0AWe assu=
me that every law enforcement agency with a cyber-crimes=0Adivision has a d=
ossier bursting at the seams on Atrivo/Intercage and=0Aits tentacles such a=
s Esthost, Estdomains, Cernel, Hostfresh. The only=0Aquestion on everyone's=
mind is which agency will beat the others to=0Ashutting the whole place do=
wn and indicting the people behind it.=0ABecause if shut down, one thing is=
certain: the amount of=0Amalware-driven crime on the Internet would drop o=
vernight as=0Acyber-criminals rush to find a new crime-friendly host - diff=
icult to=0Afind in the US, as Atrivo/Intercage is one of the very few remai=
ning=0Adedicated crime hosting firms whose customer base is composed almost=
,=0Aor perhaps entirely, of criminal gangs. More importantly, millions of=
=0AInternet users currently being targeted by the malware gangs operating=
=0Afrom Atrivo/Intercage will be, for a while, safer.=0A=0APerhaps one may =
be wondering about the costs of hosting at=0AAtrivo/Intercage or how to sig=
n up? Well, don't expect to find this=0Ainformation at the company's websit=
es as they were empty for years and=0Afor the last year have just shown "We=
bsite Coming Soon."=0A=0A=A0 =A0 http://www.atrivo.com =3D> "InterCage, Inc=
.. INTENSE SERVERS. Website=0AComing Soon:"=0A=A0 =A0 Last Updated: Thursday=
, September 06, 2007 4:32:59 PM=0A=0A=A0 =A0 http://www.intercage.com =3D> =
"InterCage, Inc. INTENSE SERVERS.=0AWebsite Coming Soon:"=0A=A0 =A0 Tuesday=
, September 04, 2007 6:45:52 PM=0A=0AAt one time after being asked, "how on=
earth does your company get=0Abusiness?" an Atrivo/Intercage representativ=
e coyly said, "by word of=0Amouth." That seems to be quite obvious.=0A=0A=
=0A=0A=0AOn Wed, Sep 24, 2008 at 12:45 AM, Russell Mitchell <russm2k8@yahoo=
..com> wrote:=0A> Hello Mark,=0A>=0A> It really seems YOU _DID_ miss the mem=
o.=0A> I think that since no one else is responding to your non-sense, ther=
e is no reason for me to either.=0A>=0A> If you have something accurate to =
say, I'll be happy to listen.=0A> Until then, there's not much I can say. T=
here's no sense in repeating myself.=0A>=A0 ---=0A> Russell Mitchell=0A>=0A=
> InterCage, Inc.=0A>=0A>=0A>=0A> ----- Original Message ----=0A> From: Mar=
k Foo <mark.foo.dog@gmail.com>=0A> To: Russell Mitchell <russm2k8@yahoo.com=
>=0A> Cc: Bruce Williams <williams.bruce@gmail.com>; Christopher Morrow <ch=
ristopher.morrow@gmail.com>; nanog@nanog.org; Joe Greco <jgreco@ns.sol.net>=
=0A> Sent: Wednesday, September 24, 2008 12:27:50 AM=0A> Subject: Re: YAY! =
Re: Atrivo/Intercage: NO Upstream depeer=0A>=0A> Russell:=0A>=0A> Ferg was =
just being coy -- what you don't understand is there are about 3 other=0A> =
security mailing lists plotting to TAKE YOUR SERVICE DOWN. You FAIL. Law=0A=
> Enforcement might not take action against you (but appear to be intereste=
d now),=0A> but the community can. GET OFF THE NET WITH YOUR MALWARE!=0A>=
=0A> You mistake me for someone who believes you pack of lies! Don't you=0A=
> understand each=0A> time you post to this list gives those of us who know=
the opportunity=0A> to post MORE EVIDENCE=0A> of your MALWARE?=0A>=0A> You=
disconnected Hostfresh and think that's the extent of your cimes?=0A> Gimm=
e a break.=0A> Only those who are easily socially engineered would believe =
your=0A> pathetic claims of innocence.=0A> You've BEEN HOSTING MALWARE sinc=
e 2003 -- SEE Nanog post:=0A>=0A> Re: The in-your-face hijacking example=0A=
> http://www.irbs.net/internet/nanog/0305/0038.html=0A>=0A>> Let me know if=
there's anything else you'd like me to state to the public.=0A>=0A> Answer=
Ferg's question -- Why are you moving to CERNAL? Do you think this=0A> is =
going to work? That's just another of Emil's networks.=0A>=0A>> We're on a =
rocky road right now. But it IS starting to smooth out.=0A>=0A> That's just=
the calm before the storm.=0A>=0A> Go ahead and post a response to each of=
these allegations:=0A>=0A> Cybercrime's US Hosts=0A> http://www.spamhaus.o=
rg/news.lasso?article=3D636=0A>=0A> Report Slams U.S. Host as Major Source =
of Badware=0A> http://voices.washingtonpost.com/securityfix/2008/08/report_=
slams_us_host_as_major.html?nav=3Drss_blog=0A>=0A> A Superlative Scam and S=
pam Site Registrar=0A> http://voices.washingtonpost.com/securityfix/2008/09=
/estdomains.html?nav=3Drss_blog=0A>=0A> ICANN cast as online scam enabler=
=0A> http://www.theregister.co.uk/2008/09/03/cyber_crime_reports/=0A>=0A> '=
Malware-friendly' Intercage back with the living=0A> http://www.theregister=
..co.uk/2008/09/24/intercage_back_online/=0A>=0A>=0A>=0A>=0A>=0A>=0A>=0A>=0A=
> On Tue, Sep 23, 2008 at 11:50 PM, Russell Mitchell <russm2k8@yahoo.com> w=
rote:=0A>>=0A>> Hello John Doe,=0A>>=0A>> I welcome any further comments yo=
u have.=0A>> We have to get past people such as yourself, and your blasphem=
ous and false statements.=0A>>=0A>> This is the same issue with the recent =
media and self-proclaimed "Security Researchers". Fly-by-night mind you.=0A=
>>=0A>> To help you out in your claims:=0A>> Yes, we did house a client who=
m had quite a run with their client's from various locations, such as Russi=
a.=0A>> That Client is no longer hosted on our network. I myself spent all =
of monday afternoon, night, and tuesday morning shutting off EVERY machine =
they had leased in our Billing System. I'm currently working to scan furthe=
r and see if there's anything I may have missed.=0A>>=0A>> Yes, Russia is v=
ery well known for Virus and Malware writer's.=0A>>=0A>> Yes, we have had i=
ssues with malware distribution from our network.=0A>> This was directly an=
d near singularly related to the former client of ours. We did have another=
client, Hostfresh, whom had their share of malware issues.=0A>>=0A>> Both =
have been completely and effectively removed. The server's leased to both o=
f them have been canceled, and their machines have been shutoff.=0A>>=0A>> =
Let me know if there's anything else you'd like me to state to the public.=
=0A>> We're on a rocky road right now. But it IS starting to smooth out.=0A=
>>=0A>> Thank you for your time. Have a great day.=0A>>=A0 ---=0A>> Russell=
Mitchell=0A>>=0A>> InterCage, Inc.=0A>>=0A>>=0A>>=0A>> ----- Original Mess=
age ----=0A>> From: Mark Foo <mark.foo.dog@gmail.com>=0A>> To: Bruce Willia=
ms <williams.bruce@gmail.com>=0A>> Cc: Christopher Morrow <christopher.morr=
ow@gmail.com>; nanog@nanog.org; Joe Greco <jgreco@ns.sol.net>=0A>> Sent: Tu=
esday, September 23, 2008 11:08:21 PM=0A>> Subject: Re: YAY! Re: Atrivo/Int=
ercage: NO Upstream depeer=0A>>=0A>> NANOG:=0A>>=0A>> Look, the people post=
ing here who are trashing Intercage are pure security=0A>> analysts -- they=
=0A>> know and understand the evil that is Intercage. STOP TRYING TO ASSIST=
=0A>> INTERCAGE=0A>> -- you are effectively aiding and abetting the enemy.=
=0A>>=0A>> Intercage/Atrivo hosts the malware c&c botnets that DDoS your sy=
stems and=0A>> networks.=0A>>=0A>> Intercage/Atrivo hosts the spyware that =
compromises your users' passwords.=0A>>=0A>> Intercage/Atrivo hosts the adw=
are that slows your customers' machines.=0A>>=0A>> Don't take my word for i=
t, DO YOUR OWN RESEARCH:=0A>> http://www.google.com/search?hl=3Den&q=3Dinte=
rcage+malware=0A>>=0A>> You don't get called the ***American RBN*** for hos=
ting a couple bad=0A>> machines. They=0A>> have and will continue to host m=
uch of the malware pumped out of America.=0A>> THEY=0A>> ARE NOT YOUR COMRA=
DES..=0A>>=0A>> These people represent the most HIGHLY ORGANZIED CRIME you =
will ever=0A>> come across. Most people were afraid to speak out against th=
em until this=0A>> recent ground swell.=0A>>=0A>> This is the MALWARE CARTE=
L. GET THE PICTURE?=0A>>=0A>> Many links have been posted here that prove t=
his already -- instead of=0A>> asking=0A>> what customers they cut off, let=
them show WHAT CUSTOMERS ARE LEGIT--=0A>> because there are NONE.=0A>>=0A>=
>=0A>>=0A>>=0A>>=0A>> > >> I would suggest a different Step 1.=A0 Instead o=
f killing power, simply=0A>> > >> isolate the affected machine.=A0 This mig=
ht be as simple as putting up a=0A>> > >> firewall rule or two, if it is si=
mply sending outgoing SMTP spam, or=0A>> > > it's probably easiest (dependi=
ng on the network gear of course) to=0A>> > > just put the lan port into an=
isolated VLAN. It's not the 100%=0A>> > > solution (some badness rm's itse=
lf once it loses connectivity to the=0A>> > > internets) but it'd make thin=
gs simpler for the client/LEA when they=0A>> > > need to figure out what ha=
ppened.=0A>> > >=0A>> > > -chris=0A>> > >=0A>> > >=0A>> >=0A>> >=0A>>=0A>>=
=0A>>=0A>>=0A>>=0A>=0A>=0A>=0A>=0A>=0A>=0A=0A=0A=0A
