Search RPD Archives
Ronald F. Guilmette
rfg at tristatelogic.com
Tue Jul 2 20:26:45 UTC 2019
The other day I promised an apology to this list. I now fulfill that
commitment, but with an explanation.
On or about November 17, 2016 I made a posting to this [rpd] list
bemoaning an apparent situation in which one or more large scale
spamming operations, presumably American, had quite clearly managed,
by hook or by crook, to make off with numerous /16 blocks of Afrinic
"legacy" IPv4 space, all of which had then been turned to the purposes
of supporting snowshoe spamming:
Even back in 2016, I had already had some modest experience with this
sort of hijacking. That prior experience led me to the general belief
that mere route hijacks, which are common, and which the entire Internet
still struggles with, were, in general, rather easily distinguishable
from more nefarious cases in which not only is an IP block absconded
with, but also, where the perpetrators somehow also manage to get control
of the relevant reverse DNS delegations for the stolen block(s).
The several Afrinic legacy /16 blocks that I called attention to back in
November, 2016 all appeared to have this very unusual property, i.e. not
only were the blocks all quite clearly being routed improperly, and by
parties that had no legitimate claim to those blocks, but also, the
particular snowshoe spammer(s) that had managed to get these blocks routed
(by helpful co-conspirators) had also managed to seize control of all of
the relevant reverse DNS delegations. (It is very helpful to spammers,
generally, to be able to control the reverse DNS for their spam-spewing
Because of that highly unusual situation, i.e. the active and (apparently)
properly delegated reverse DNS authority for the blocks in question,
I initially came to the utterly incorrect conclusion that this whole
thing must have been an "inside job" and that someone within Afrinic
was facilitating this entirely improper mass takeover of several large
chunks of legacy Afrinic IPv4 address space. I proceeded to make a
number of baseless and inflammatory comments here on that basis, vaguely
intimating exactly such collusion on the part of some unspecified party
or parties directly associated with Afrinic.
For the past 2+ years I have intended to offer my apologies for that.
I can now only hope that the old saying "Better late than never" applies
in this instance.
After my initial burst of research on this incident, and following my
unfortunate postings to this list, back in November, 2016, I did look
into this whole matter further and made a rather remarkable discovery.
As it turned out, most or all of the stolen Afrinic legacy /16 blocks
at issue had in place... perhaps since the beginning of time... delegations
for their respective reverse DNS to a single common pair of name server
names, both of which themselves were (ns1,ns2) subdomains of a single
common .co.za domain name.
As I subsequently learned, the registration for that particular .co.za
domain name simply had been allowed to expire by its original owners.
Subsequent to that, it seems, an exceptionally clever American spammer
apparently took note of this, re-registered the domain name himself,
and set up his own pair of (ns1,ns2) name servers, using that old and
abandoned .co.za domain name as the base domain name for his own shiny
new pair of (ns1,ns2) name servers.
Upon the creation of these two "new edition" name servers, those became,
of course, empowered to provide nicely matching reverse DNS for much or
all of the stolen Afrinic legacy /16 blocks in question. And they did so.
Through the miracle of modern passive DNS services, I was later able to
definitively determine the identity of the American spammer who had
engineered most or all of this skulduggery. For now, just suffice it to
say that he was and is a convicted felon in the United States, having been
previously convicted, in an earlier decade, of drug dealing in Florida.
(He spent time in a Florida prison as a result of this conviction.)
If anyone feels the need for this man's identity, please contact me off
list and I will provide it.
I offer all of the above not as an excuse for my unacceptable behavior on
this mailing list, back in 2016, but merely by way of explanation, so that
I and my actions may perhaps be understood, even if not forgiven. I did
not have all of the facts. As a result, I made a mistake, and quite a
serious one, and I went around casting entirely unfair, improper and
indefensible aspersions, on this mailing list, against entirely honorable
people who had no role whatsoever in any of these apparent thefts and
misuses of legacy Afrinic address space.
I can only say that I hope that I have learned my lesson and that I will,
in future, be rather more circumspect and reticent before making assumption
and/or reaching conclusions that may, in the end, not be borne out by the
I should and must apologize also for having taken so long to post this
apology. As I say, I realized my error some 2+ years ago already, and
I have been meaning ever since to come here and offer this mea cupla.
My only excuse for having failed to do so, long ago, is just that I am
human, like everybody else. And who among us is eager to admit their
flaws and mistakes in public? (At least I got to it before I departed
I can neither ask for nor expect anyone here to either forgive or to forget
my past bad behavior here, but I can hope. It may perhaps help if I say
that it is my firm intention to contribute, in future, with malice towards
none, and with charity and respect towards all in this community.
More information about the RPD