Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[rpd] Mass Hijacking of AFRINIC IPv4 Space by U.S.A. Spammers

fransossen at fransossen at
Fri Nov 18 17:07:52 UTC 2016


Hi Ronald,

You always discover very nice spamming network setups!

> But I guess that the whole Cloud Innovation incident proves that I should 
> not be expecting anything even remotely like "good stewardship" of limited 
> IPv4 resources out of Afrinic.

Please see Heng Lu's explanation about the whole Cloud Innovation incident, it was a very clever abuse of internet resources and peering agreement, and not one that a resource holder can prevent in any kind of way.

He actually did an excellent job at actually tracking where the problem was and notifying the involved parties as it was not a simple case of hijacking unannounced resources.

In your emails you tend to come as blaming the resource holders for their resources being hijacked. 

The Dutch government had its unannounced resources hijacked by similar schemes a while back. 

It can happen to anyone, when it happens, good netizens should inform the resource holders, inform the respective RIR is good practice as well, as they maintain a lot of contact with their members. 

>From the list you provided, there are some interesting things that pops up almost immediately, removing all kind of doubt on the nature of the people behind.

>From your pastebin, I randomly took one domain:

It takes you to a copy of "Bouygues" website, so red flag can be raised as to the intention of whoever is behind this.
You can now report it to "Bouygues", I am sure they have enough lawyers to drive this further...

And to whomever is behind the IP address in the AFFRINIC DB:

inetnum: - 
netname:        COLUMBUS-ZA1 
descr:          Columbus Stainless 
descr:          P.O. Box 133 
descr:          Middelburg Tvl 
descr:          1050 
country:        ZA 
admin-c:        KC224-AFRINIC 
tech-c:         KC224-AFRINIC 
status:         ASSIGNED PI 
mnt-by:         TF-160-115-MNT 
mnt-lower:      TF-160-115-MNT 
mnt-domains:    TF-160-115-MNT 
changed:        hostmaster at 19840101 
changed:        hostmaster at 19950725 
changed:        hostmaster at 20050221 
changed:        hostmaster at 20060203 
source:         AFRINIC 
parent: - 

person:         Kezia Crawford-Cousins 
address:        P O Box 3234 
address:        Parklands 2121 
address:        ZA 
phone:          +27 11 447 5566 
e-mail:         kezia at 
nic-hdl:        KC224-AFRINIC 
changed:        hostmaster at 19950622 
changed:        hostmaster at 19951127 
changed:        hostmaster at 20050221 
source:         AFRINIC

If Kezia is not the correct person then the company registered on the resources still seem to exist at least:

That range itself seems indeed pretty broken up and announced via various AS numbers:

All those AS going indeed to AS260:

And all recently and sometimes briefly revived:

The AFRINIC community at large is not to be blamed for what happened here, the AFRINIC is not to be blamed either, some of that space is registered to member other is not registered to organisation with whom the AFRINIC is in contact due to it being legacy, it makes no difference at the end as it will get hijacked anyway, their space was most likely misused, the rightful holders should be contacted so they can take the needed measures.

AS260 is registered to ARIN, and the company behind is an LIR at the RIPE NCC as well, you have means to contact them, their peering partners and so on for explanation, but the best course of action is imho to contact the resources holders and the RIR.

And I hope the noise you created now is going to have some effect in cleaning up that mess.

Keep tracking those nasty networks, but don't blame the victims!

Ducth government was not a spammer.
Cloud Innovation was not a spammer.

And for wiw most of those African resources are not spammers either, they are victims.

David Hilario


RPD mailing list
RPD at

More information about the RPD mailing list