[108125] in North American Network Operators' Group
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
daemon@ATHENA.MIT.EDU (Gadi Evron)
Wed Sep 24 06:52:19 2008
Date: Wed, 24 Sep 2008 05:51:38 -0500 (CDT)
From: Gadi Evron <ge@linuxbox.org>
To: Russell Mitchell <russm2k8@yahoo.com>
In-Reply-To: <648989.85024.qm@web45013.mail.sp1.yahoo.com>
Cc: Christopher Morrow <christopher.morrow@gmail.com>, nanog@nanog.org,
Joe Greco <jgreco@ns.sol.net>
Errors-To: nanog-bounces@nanog.org
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
---465436027-375249113-1222253498=:12161
Content-Type: TEXT/PLAIN; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE
On Wed, 24 Sep 2008, Russell Mitchell wrote:
> Hello Mark,
>
> What's YOUR motivation to consistantly attack my company?
I don't know this Mark, but it seems like he is copying your strategy of=20
"stay up last and you win" as you both make little sense.
=09Gadi.
> What's my motivation to continue working @ InterCage?
> To keep a roof over=A0my family's heads, and to keep them well-fed:
> 1.) Myself
> 2.) My Wife
> 3.) My near 2 year old=A0Son (November)
> 4.) My near 3 week old Daughter (Born Sept. 4th)
>
> It's great that you finally accepted the claim of InterCage being associa=
ted with the famed "RBN" as being "alledged".
> You've taken the first step into seeing how much BS information has been =
spread out about our company.
>
> Whether you support me in my anti-abuse endeavor or not, as long as you g=
et FACTUAL information, I'm happy.
> However someday, I trust you will find and accept the truth about InterCa=
ge. From what I see now from the claims your making, that day may not come =
soon.
>
> Thank you for your time. Have=A0a great day.
> =A0---
> Russell Mitchell
>
> InterCage, Inc.
>
> ----- Original Message ----
> From: Mark Foo <mark.foo.dog@gmail.com>
> To: Russell Mitchell <russm2k8@yahoo.com>
> Cc: Bruce Williams <williams.bruce@gmail.com>; Christopher Morrow <christ=
opher.morrow@gmail.com>; nanog@nanog.org; Joe Greco <jgreco@ns.sol.net>
> Sent: Wednesday, September 24, 2008 1:14:01 AM
> Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
>
> Russell:
>
> Oh I got the memo, you'll be getting served one soon too.
>
> I just wonder why you don't consider playing both sides of the fence
> -- with your
> knowledge of who's who in the cyber crime field, you could probably get p=
aid
> more as an informant (either to LEO or one of the "Intel" companies than
> whatever you're doing for Emil and (allegedly) the=A0 RBN. You can't poss=
ible
> sleep well knowing what your up to now so I figure it's the money that
> motivates you.
>
> Or, maybe you don't really know anyone, you just respond to their demands=
and
> they end up with all the money, pr0n chicks, etc. Doesn't that bother
> you -- don't
> you want more?
>
> Plus, no one would know you were pulling two pay checks -- you manage sys=
tems
> on one side and pass info to the other. It's actually fairly simple --
> maybe you already
> know this ;).
>
> If not, please explain this:
>
> http://www.spamhaus.org/news.lasso?article=3D636
>
> Without exception, all of the major security organizations on the
> Internet agree that the 'Home' of cybercrime in the western world is a
> firm known as Atrivo/Intercage, based in California. We ourselves have
> not come to this conclusion lightly but from many years of dealing
> with criminal operations hosted by Atrivo/Intercage, gangs of
> cybercriminals - mostly Russian and East European but with several US
> online crime gangs as well - whose activities always lead back to
> servers run by Atrivo/Intercage. We have lost count of the times we
> have tracked a major virus botnet's "command and control" to
> Atrivo/Intercage servers, readers can view here some of the current
> and historic SBL records for Atrivo for a taste of what has been
> happening in this network. At almost every Internet security
> conference, or law enforcement seminar on cyber-crime, a presentation
> will detail some attack, exploit, phish or financial crime that has
> some nexus at Atrivo/Intercage.
>
> The person who runs Atrivo/Intercage, Emil Kacperski is an expert at
> playing the "surprised janitor", unaware of every new criminal
> enterprise found on his servers and keen to show he gets rid of some
> criminals once their activities on his network are exposed. His
> Internet hosting career first came to the attention of most anti-abuse
> organizations when he pinched (or 'purchased stolen goods' as he put
> it) and routed an unused block of 65,536 IP addresses belonging to the
> County of Los Angeles.
>
> Spamhaus has dealt with over 350 incidents of cyber-crime hosting on
> Atrivo/Intercage and its related networks in the last 3 years alone,
> all of which involved criminal operations such as malware, virus
> spreaders and botnet command and control servers. Malware found by
> Spamhaus on Atrivo/Intercage/Cernel/Hostfresh just in the last few
> months included the Storm Worm installer and controller and a MySpace
> spambot amongst others. Spamhaus currently sees a large amount of
> activity related to malicious software and exploits being hosted on
> Atrivo/Intercage which include DNS hijack malware, IFRAME browser
> attacks, dialers, pirated software websites and blatantly criminal
> services.
>
> We assume that every law enforcement agency with a cyber-crimes
> division has a dossier bursting at the seams on Atrivo/Intercage and
> its tentacles such as Esthost, Estdomains, Cernel, Hostfresh. The only
> question on everyone's mind is which agency will beat the others to
> shutting the whole place down and indicting the people behind it.
> Because if shut down, one thing is certain: the amount of
> malware-driven crime on the Internet would drop overnight as
> cyber-criminals rush to find a new crime-friendly host - difficult to
> find in the US, as Atrivo/Intercage is one of the very few remaining
> dedicated crime hosting firms whose customer base is composed almost,
> or perhaps entirely, of criminal gangs. More importantly, millions of
> Internet users currently being targeted by the malware gangs operating
> from Atrivo/Intercage will be, for a while, safer.
>
> Perhaps one may be wondering about the costs of hosting at
> Atrivo/Intercage or how to sign up? Well, don't expect to find this
> information at the company's websites as they were empty for years and
> for the last year have just shown "Website Coming Soon."
>
> =A0 =A0 http://www.atrivo.com =3D> "InterCage, Inc.. INTENSE SERVERS. Web=
site
> Coming Soon:"
> =A0 =A0 Last Updated: Thursday, September 06, 2007 4:32:59 PM
>
> =A0 =A0 http://www.intercage.com =3D> "InterCage, Inc. INTENSE SERVERS.
> Website Coming Soon:"
> =A0 =A0 Tuesday, September 04, 2007 6:45:52 PM
>
> At one time after being asked, "how on earth does your company get
> business?" an Atrivo/Intercage representative coyly said, "by word of
> mouth." That seems to be quite obvious.
>
>
>
>
> On Wed, Sep 24, 2008 at 12:45 AM, Russell Mitchell <russm2k8@yahoo..com> =
wrote:
>> Hello Mark,
>>
>> It really seems YOU _DID_ miss the memo.
>> I think that since no one else is responding to your non-sense, there is=
no reason for me to either.
>>
>> If you have something accurate to say, I'll be happy to listen.
>> Until then, there's not much I can say. There's no sense in repeating my=
self.
>> =A0 ---
>> Russell Mitchell
>>
>> InterCage, Inc.
>>
>>
>>
>> ----- Original Message ----
>> From: Mark Foo <mark.foo.dog@gmail.com>
>> To: Russell Mitchell <russm2k8@yahoo.com>
>> Cc: Bruce Williams <williams.bruce@gmail.com>; Christopher Morrow <chris=
topher.morrow@gmail.com>; nanog@nanog.org; Joe Greco <jgreco@ns.sol.net>
>> Sent: Wednesday, September 24, 2008 12:27:50 AM
>> Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
>>
>> Russell:
>>
>> Ferg was just being coy -- what you don't understand is there are about =
3 other
>> security mailing lists plotting to TAKE YOUR SERVICE DOWN. You FAIL. Law
>> Enforcement might not take action against you (but appear to be interest=
ed now),
>> but the community can. GET OFF THE NET WITH YOUR MALWARE!
>>
>> You mistake me for someone who believes you pack of lies! Don't you
>> understand each
>> time you post to this list gives those of us who know the opportunity
>> to post MORE EVIDENCE
>> of your MALWARE?
>>
>> You disconnected Hostfresh and think that's the extent of your cimes?
>> Gimme a break.
>> Only those who are easily socially engineered would believe your
>> pathetic claims of innocence.
>> You've BEEN HOSTING MALWARE since 2003 -- SEE Nanog post:
>>
>> Re: The in-your-face hijacking example
>> http://www.irbs.net/internet/nanog/0305/0038.html
>>
>>> Let me know if there's anything else you'd like me to state to the publ=
ic.
>>
>> Answer Ferg's question -- Why are you moving to CERNAL? Do you think thi=
s
>> is going to work? That's just another of Emil's networks.
>>
>>> We're on a rocky road right now. But it IS starting to smooth out.
>>
>> That's just the calm before the storm.
>>
>> Go ahead and post a response to each of these allegations:
>>
>> Cybercrime's US Hosts
>> http://www.spamhaus.org/news.lasso?article=3D636
>>
>> Report Slams U.S. Host as Major Source of Badware
>> http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_hos=
t_as_major.html?nav=3Drss_blog
>>
>> A Superlative Scam and Spam Site Registrar
>> http://voices.washingtonpost.com/securityfix/2008/09/estdomains.html?nav=
=3Drss_blog
>>
>> ICANN cast as online scam enabler
>> http://www.theregister.co.uk/2008/09/03/cyber_crime_reports/
>>
>> 'Malware-friendly' Intercage back with the living
>> http://www.theregister..co.uk/2008/09/24/intercage_back_online/
>>
>>
>>
>>
>>
>>
>>
>>
>> On Tue, Sep 23, 2008 at 11:50 PM, Russell Mitchell <russm2k8@yahoo.com> =
wrote:
>>>
>>> Hello John Doe,
>>>
>>> I welcome any further comments you have.
>>> We have to get past people such as yourself, and your blasphemous and f=
alse statements.
>>>
>>> This is the same issue with the recent media and self-proclaimed "Secur=
ity Researchers". Fly-by-night mind you.
>>>
>>> To help you out in your claims:
>>> Yes, we did house a client whom had quite a run with their client's fro=
m various locations, such as Russia.
>>> That Client is no longer hosted on our network. I myself spent all of m=
onday afternoon, night, and tuesday morning shutting off EVERY machine they=
had leased in our Billing System. I'm currently working to scan further an=
d see if there's anything I may have missed.
>>>
>>> Yes, Russia is very well known for Virus and Malware writer's.
>>>
>>> Yes, we have had issues with malware distribution from our network.
>>> This was directly and near singularly related to the former client of o=
urs. We did have another client, Hostfresh, whom had their share of malware=
issues.
>>>
>>> Both have been completely and effectively removed. The server's leased =
to both of them have been canceled, and their machines have been shutoff.
>>>
>>> Let me know if there's anything else you'd like me to state to the publ=
ic.
>>> We're on a rocky road right now. But it IS starting to smooth out.
>>>
>>> Thank you for your time. Have a great day.
>>> =A0 ---
>>> Russell Mitchell
>>>
>>> InterCage, Inc.
>>>
>>>
>>>
>>> ----- Original Message ----
>>> From: Mark Foo <mark.foo.dog@gmail.com>
>>> To: Bruce Williams <williams.bruce@gmail.com>
>>> Cc: Christopher Morrow <christopher.morrow@gmail.com>; nanog@nanog.org;=
Joe Greco <jgreco@ns.sol.net>
>>> Sent: Tuesday, September 23, 2008 11:08:21 PM
>>> Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
>>>
>>> NANOG:
>>>
>>> Look, the people posting here who are trashing Intercage are pure secur=
ity
>>> analysts -- they
>>> know and understand the evil that is Intercage. STOP TRYING TO ASSIST
>>> INTERCAGE
>>> -- you are effectively aiding and abetting the enemy.
>>>
>>> Intercage/Atrivo hosts the malware c&c botnets that DDoS your systems a=
nd
>>> networks.
>>>
>>> Intercage/Atrivo hosts the spyware that compromises your users' passwor=
ds.
>>>
>>> Intercage/Atrivo hosts the adware that slows your customers' machines.
>>>
>>> Don't take my word for it, DO YOUR OWN RESEARCH:
>>> http://www.google.com/search?hl=3Den&q=3Dintercage+malware
>>>
>>> You don't get called the ***American RBN*** for hosting a couple bad
>>> machines. They
>>> have and will continue to host much of the malware pumped out of Americ=
a.
>>> THEY
>>> ARE NOT YOUR COMRADES..
>>>
>>> These people represent the most HIGHLY ORGANZIED CRIME you will ever
>>> come across. Most people were afraid to speak out against them until th=
is
>>> recent ground swell.
>>>
>>> This is the MALWARE CARTEL. GET THE PICTURE?
>>>
>>> Many links have been posted here that prove this already -- instead of
>>> asking
>>> what customers they cut off, let them show WHAT CUSTOMERS ARE LEGIT--
>>> because there are NONE.
>>>
>>>
>>>
>>>
>>>
>>>>>> I would suggest a different Step 1.=A0 Instead of killing power, sim=
ply
>>>>>> isolate the affected machine.=A0 This might be as simple as putting =
up a
>>>>>> firewall rule or two, if it is simply sending outgoing SMTP spam, or
>>>>> it's probably easiest (depending on the network gear of course) to
>>>>> just put the lan port into an isolated VLAN. It's not the 100%
>>>>> solution (some badness rm's itself once it loses connectivity to the
>>>>> internets) but it'd make things simpler for the client/LEA when they
>>>>> need to figure out what happened.
>>>>>
>>>>> -chris
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>>
>
>
>
>
>
>
>
---465436027-375249113-1222253498=:12161--
